CrowdStrikeintermediate

How to Use CrowdStrike Falcon Bulk Maintenance Mode for Multiple Hosts

Learn how to use CrowdStrike Falcon bulk maintenance mode to uninstall or upgrade sensors on multiple hosts using a single token. Manage large-scale sensor maintenance operations efficiently.

6 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Bulk maintenance mode in CrowdStrike Falcon allows you to use a single maintenance token to uninstall or upgrade sensors across all hosts in a sensor update policy. This streamlines large-scale maintenance operations when using external deployment tools.

Understanding Bulk Maintenance Mode

By default, each CrowdStrike sensor requires a unique, host-specific maintenance token for uninstallation when protection is enabled. Bulk maintenance mode provides a single token that works for all hosts in a policy.

When to Use Bulk Maintenance Mode

  • Large-scale uninstallation: Removing sensors from many hosts
  • Mass upgrades: Upgrading sensors via SCCM, JAMF, or similar tools
  • Self-service updating: Managing sensors outside of Falcon cloud updates
  • Automated maintenance: Scripted maintenance operations

Requirements

RequirementSetting
Uninstall protectionEnabled
Sensor versionSensor version updates off
Host connectivityMust have connected after bulk mode enabled

Enabling Bulk Maintenance Mode

  1. Navigate to Sensor Update Policies

  2. Go to Host Setup and Management > Deploy > Sensor Update Policies

  3. Select or Create a Maintenance Policy

  4. Click the policy you want to use for bulk maintenance

  5. Or create a dedicated maintenance policy

  6. Configure Required Settings

  7. In the Sensor version dropdown, select Sensor version updates off

  8. Ensure Uninstall and maintenance protection is selected (enabled)

  9. Enable Bulk Maintenance Mode

  10. Select Bulk maintenance mode

  11. Click Save

  12. Reveal the Bulk Token

  13. Click Reveal token

  14. In the dialog, click Reveal token again

  15. Copy and securely store the token

Using the Bulk Maintenance Token

Once you have the bulk token, use it the same way you would use individual maintenance tokens:

Linux Uninstallation

sudo MAINTENANCE_TOKEN=YOUR_BULK_TOKEN apt remove falcon-sensor

Or:

sudo MAINTENANCE_TOKEN=YOUR_BULK_TOKEN yum remove falcon-sensor

Windows Uninstallation

msiexec /x falcon-sensor.msi MAINTENANCE_TOKEN=YOUR_BULK_TOKEN /quiet

Mac Uninstallation

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token YOUR_BULK_TOKEN

CrowdStrike recommends creating a dedicated maintenance policy:

  1. Create a Maintenance Policy

  2. Name it clearly (e.g., "Maintenance - Uninstall Allowed")

  3. Set Sensor version updates off

  4. Enable Uninstall and maintenance protection

  5. Enable Bulk maintenance mode

  6. Move Hosts Temporarily

  7. Move host groups to the maintenance policy

  8. Perform your maintenance operations

  9. Return Hosts to Normal Policy

  10. Move host groups back to their original policies

  11. Protection is automatically re-enabled

Bulk vs Individual Tokens

FeatureBulk TokenIndividual Token
ScopeAll hosts in policySingle host only
Where to findSensor Update PolicyHost Management page
ExpirationDoesn't expireSingle-use
Offline hostsNot supported until connectedAlways works
Best forMass operationsIndividual maintenance

Offline Host Considerations

Hosts must connect to the CrowdStrike cloud after bulk maintenance mode is enabled to receive the bulk token. Until then:

  • Offline hosts cannot use the bulk token
  • Use the individual AID-specific token from Host Management
  • Once the host connects, it will accept the bulk token

Security Considerations

The bulk maintenance token is a sensitive credential:

  • Doesn't change: The token remains valid until you contact support
  • Treat as secret: Store securely, limit access
  • Audit usage: Track who has access to the token
  • Compromised token: Open a support ticket through CrowdStrike Customer Center

Disabling Bulk Maintenance Mode

To return to individual host tokens:

  1. Open the sensor update policy
  2. Deselect Bulk maintenance mode
  3. Click Save

Individual host tokens from Host Management will work again for hosts in that policy.

Best Practices

  • Dedicated maintenance policy: Create one policy specifically for maintenance operations
  • Temporary moves: Only move hosts to maintenance policy when needed
  • Secure the token: Treat the bulk token as a privileged credential
  • Document operations: Track maintenance activities for audit purposes
  • Return hosts promptly: Move hosts back to protected policies after maintenance

Frequently Asked Questions

Find answers to common questions

Bulk maintenance mode is a CrowdStrike Falcon feature that lets you use a single maintenance token to uninstall or upgrade sensors on all hosts in a sensor update policy. Instead of retrieving individual maintenance tokens for each host, you enable bulk maintenance mode and use one token for the entire host group. This is ideal for large-scale maintenance operations managed through tools like SCCM or JAMF.

Use bulk maintenance mode when you need to perform maintenance on multiple hosts simultaneously, especially when using external tools like SCCM, JAMF, or Ansible. Use individual host tokens (from Host Management) for single-host operations or when you need to maintain detailed audit trails. Individual tokens are also required for offline hosts that haven't received the bulk token.

To use bulk maintenance mode, the sensor update policy must have 'Uninstall and maintenance protection' enabled AND 'Sensor version updates off' selected. Hosts must either be connected to the cloud or have connected after bulk maintenance mode was enabled to receive the bulk token. Offline hosts use their individual AID-specific token instead.

No, the bulk maintenance token does not change or expire automatically. This makes it convenient for ongoing maintenance but also means it should be treated as a sensitive credential. If the token becomes compromised, you should open a support ticket through the CrowdStrike Customer Center to generate a new token.

When bulk maintenance mode is enabled, sensor-specific tokens from the Host Management page are disabled for hosts in that policy. The bulk token becomes the only valid token for those hosts. If you need to use individual tokens again, you must disable bulk maintenance mode.

Offline hosts that haven't connected to the cloud since bulk maintenance mode was enabled cannot use the bulk token. These hosts still require their individual AID-specific maintenance token from the Host Management page. Once the host connects and receives the bulk token, it will accept the bulk token for future operations.

Need Expert CrowdStrike Management?

Whether you're migrating EDR platforms or need managed detection, our team handles seamless transitions and 24/7 monitoring.

Learn About 24/7 Detection & ResponseExplore EDR Migration & Hardening

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →

Related Tools

Free tools to help you implement what you learned

EDR Needs Assessment

Evaluate your endpoint detection and response requirements

Try it free →

MITRE ATT&CK Explorer

Map threats to the MITRE ATT&CK framework

Try it free →

Incident Response Playbook

Generate customized IR playbooks for your organization

Try it free →
Back to CrowdStrike