The 'Uninstall and maintenance protection' feature within CrowdStrike Falcon's Sensor Update Policies is a security control designed to prevent unauthorized removal or modification of the Falcon sensor on an endpoint. When this policy setting is enabled, any attempt to uninstall, repair, or stop the sensor service locally on the host requires a unique, time-limited maintenance token. This token must be generated by an authorized administrator from within the Falcon console and supplied as a command-line argument during the uninstallation process. This ensures that only legitimate, centrally-authorized actions can be performed on the protected sensor.

B. Customer ID (CID): The CID is a unique identifier for a customer's entire Falcon environment; it is used during installation to associate the sensor with the correct cloud tenant, not for authorizing uninstallation.

C. Bulk update key: This is not a standard term associated with sensor uninstallation. API keys are used for programmatic interaction with the Falcon platform, not for manual endpoint maintenance authorization.

D. Agent ID (AID): The AID is a unique identifier assigned to each installed sensor to track the specific host in the Falcon console. It is an identifier, not an authorization credential.

1. CrowdStrike Falcon® Documentation

"Sensor Update Policies for Windows

" Policy Settings section. The documentation states: "When Uninstall and maintenance protection is enabled

a maintenance token is required to uninstall

repair

update

or downgrade the sensor

or to stop the Falcon service."

2. CrowdStrike Falcon® Documentation

"Host and Host Group Management

" Host Actions subsection. This section details the procedure for revealing a maintenance token for a specific host

explaining: "To perform maintenance on a protected host

you must first reveal its maintenance token... The token is required for any command-line action that would change the sensor's state."

3. CrowdStrike Falcon® Documentation

"Windows Sensor Installation

" Uninstalling the sensor subsection. The documentation provides the command-line syntax for uninstallation on a protected host

which explicitly includes the maintenance token parameter: msiexec.exe /x .msi /qn MAINTENANCETOKEN=.