Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

PENDING remove crowdstrike falcon sensor

eagle876291

Member
Messages
16
Reaction score
0
Points
1
I’m seeing two instances of the CrowdStrike Sensor installed on several machines. It appears the duplicate entry was created during an agent upgrade, and the first instance seems to be corrupted.

When attempting to run csuninstalltool.exe, I receive an error stating that the specified file does not exist. However, if I first remove the corrupted sensor entry through Control Panel and then run the uninstall tool, the process completes successfully without any issues.

I need assistance with creating a script that can be deployed through SCCM to handle this uninstall process across multiple machines.

ProductCodes = @("{4c3177b2-7f9d-486c-85f5-0e50b731486c}", "{854ddf2e-d35b-407e-8296-800441e6562c}")

1770953310862.png
 
*** Untested AI Generated Script ***

# CrowdStrike Duplicate Sensor Cleanup Script for SCCM
# Run as SYSTEM (SCCM default). Handles uninstall of both ProductCodes, then csuninstalltool.exe
# Place csuninstalltool.exe in the same package folder as this script

$ProductCodes = @("{4c3177b2-7f9d-486c-85f5-0e50b731486c}", "{854ddf2e-d35b-407e-8296-800441e6562c}")
$UninstallTool = "csuninstalltool.exe" # Assumes in same dir as script

# Log function
function Write-Log {
param([string]$Message)
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"$Timestamp - $Message" | Out-File -FilePath "$env:TEMP\CS_Uninstall.log" -Append -Encoding UTF8
}

Write-Log "Starting CrowdStrike duplicate cleanup on $env:COMPUTERNAME"

# Step 1: Uninstall MSI instances via msiexec (handles corrupted ones)
foreach ($Code in $ProductCodes) {
Write-Log "Attempting uninstall of ProductCode: $Code"
$UninstallArgs = @("/x", $Code, "/qn", "/norestart", "REBOOT=ReallySuppress")
$Process = Start-Process -FilePath "msiexec.exe" -ArgumentList $UninstallArgs -Wait -PassThru -NoNewWindow
if ($Process.ExitCode -eq 0) {
Write-Log "Successfully uninstalled $Code (ExitCode: $($Process.ExitCode))"
} else {
Write-Log "msiexec failed for $Code (ExitCode: $($Process.ExitCode)) - may already be gone"
}
Start-Sleep -Seconds 2 # Brief pause between uninstals
}

# Step 2: Run csuninstalltool.exe to clean remnants
if (Test-Path $UninstallTool) {
Write-Log "Running $UninstallTool"
$CSArgs = @("MAINTENANCE_TOKEN=YOUR_TOKEN_HERE", "/quiet") # Replace with bulk token or remove if policy allows
$CSProcess = Start-Process -FilePath $UninstallTool -ArgumentList $CSArgs -Wait -PassThru -NoNewWindow
Write-Log "csuninstalltool completed (ExitCode: $($CSProcess.ExitCode))"
} else {
Write-Log "WARNING: $UninstallTool not found - skipping"
}

# Step 3: Cleanup leftovers (services, files, registry)
$CSPaths = @(
"${env:ProgramFiles}\CrowdStrike",
"${env:ProgramFiles(x86)}\CrowdStrike"
)
$CSServices = @("csagent", "csfalconservice")

foreach ($Path in $CSPaths) {
if (Test-Path $Path) {
Write-Log "Removing folder: $Path"
Remove-Item $Path -Recurse -Force -ErrorAction SilentlyContinue
}
}

foreach ($Service in $CSServices) {
if (Get-Service -Name $Service -ErrorAction SilentlyContinue) {
Write-Log "Stopping and deleting service: $Service"
Stop-Service $Service -Force -ErrorAction SilentlyContinue
sc.exe delete $Service | Out-Null
}
}

# Optional: Kill any lingering CS processes
Get-Process | Where-Object { $_.ProcessName -like "*cs*" -or $_.ProcessName -like "*falcon*" } | Stop-Process -Force -ErrorAction SilentlyContinue

Write-Log "Cleanup complete. Review $env:TEMP\CS_Uninstall.log for details."

# SCCM exit code 0 for success
exit 0
 

Forum statistics

Threads
7,186
Messages
28,051
Members
18,327
Latest member
prasannan

Trending content

Back
Top