How to uninstall an EDR host?
Overview
You can uninstall EDR agents directly from Stoik Protect—whether your endpoints are protected by CrowdStrike or SentinelOne. This enhancement gives you complete control over the MDR lifecycle, from installation to removal.
Walkthrough
MFA must have been enabled for at least two weeks on your account to generate a valid token.
Open Stoik Protect, go to
Endpoints>Hosts.
Locate the host you want to uninstall, and click
Uninstall Agentfrom the host's action menu.
The uninstallation process then varies depending on the agent provider:
For CrowdStrike, the uninstallation token appears in a pop-up window. Follow the instructions provided to manually uninstall the agent using this token.
For SentinelOne, no token is required. Stoïk Protect automatically manages the entire process once confirmation is validated.
The host status updates:
"Uninstalling" while the uninstallation is in progress.
For both, "Inactive" when the agent is completely removed and no longer communicating.
Host Statuses
Active
The agent is online and reporting normally.
Uninstalling
The uninstallation has been triggered from Stoïk Protect. ⚠️ For CrowdStrike, uninstalling status is set as soon as the uninstallation process is confirmed, even though You didn't start the uninstallation process.
Inactive
The agent has been removed or hasn’t reported activity for 30+ days.
💡 After uninstallation
The workstation will remain visible for 45 days in the CrowdStrike or Stoïk Protect console,
But the Crowdstrike agent will be uninstalled from the workstation immediately.
💡 Special case: Loss of access to an endpoint (theft, storage, etc.)
👁️ Detection: after 90 days without an Internet connection, the workstation is declared "lost": the EDR no longer collects telemetry.
⚙️ Technique: the CrowdStrike programme remains installed locally on the terminal, but can no longer be controlled remotely.
Last updated
Was this helpful?