Deploy CrowdStrike on Windows

  • 21 January 2020
  • 10 replies
  • 492 views

Userlevel 7

This is to deploy the CrowdStrike Windows agent in your environment. You’ll need the CrowdStrike installer, WindowsSensor.exe, which you can download from your CrowdStrike console. You’ll also need your Customer ID from the console.


Remediation code:


.\WindowsSensor.exe /install /quiet /norestart CID=<checksummed customer ID>

Upload the WindowsSensor.exe file to the worklet, and put your CID in the CID flag section.


If you have any issues getting the installer to work, you can add the flag ProvNoWait=1 which skips the requirement for the agent to make contact with the CrowdStrike console within 10 minutes, after which time the agent removes itself if it fails to make contact. Note that installing CrowdStrike over the top of another AV requires some extra steps as detailed in this article:



There’s no evaluation code on this worklet, so to run it you select the worklet from the System Mgmt page and click on Exectue Now to deploy the agent.


10 replies

Userlevel 4
Badge

Hey Nic,


Thank you for this! As a new customer of both CS and Automox, we’re excited to see these sort of cross-play integrations. I would request that we actually have some meaningful evaulation code to either find if the agent is installed on the system or if the agent service is running. That way we can actively manage our fleet to make sure we’re staying in compliance, instead of just manually deploying the agent as we have it here.


Cheers.

Userlevel 7

Actually the first iteration of this was as a required software policy, which checks to see if the Crowdstrike agent is installed already:
 

 


Ok I confirmed that a required software policy will work with the above syntax. Here’s what you need to do:

Create a new Required Software Policy for Windows
For the Package Name, use CrowdStrike Windows Sensor and for the Version I used 5.23.10504.0
Upload the WindowsSensor.exe as the Installation File (you download that from your Crowdstrike console)
For the installation command use:

.\WindowsSensor.exe /install /quiet /norestart CID=<checksummed customer ID>

and put in your CID that you …

 

 

 


so you could give that a try. In my testing it didn’t appear to cause any problems if you ran the installer on a machine that already has Crowdstrike installed. Using a required software policy will let you see which devices have completed the install and are in compliance with the policy. Let me know if that helps!

 

 

 

 

We will also be doing some more integration work between our software and Crowdstrike in the future, so stay tuned for that later in the year.

 

Userlevel 7

For anyone having issues with the install command above, here’s an alternate method that’s written in powershell syntax:


$proc = Start-Process WindowsSensor.exe -ArgumentList '/install /quiet /norestart CID=12345' -PassThru
Write-Output "Exit Code was $($proc.ExitCode)"
Exit $proc.ExitCode

Related to this, is there a good way to remove a previous antivirus application? In our case we have Symantec installed currently that we want to remove and then deploy CrowdStrike in its place?

Userlevel 7

You could make a worklet to run the removal tool for Symantec, if it has one. Webroot has a list on their community (I used to work there 🙂 ):


Is there an example anywhere? There is a removal script from symantec but not sure how to get the worklet written correctly (running the script manually failed). https://knowledge.broadcom.com/external/article/151387/remove-symantec-software-for-mac-using-r.html

Userlevel 7

Were you logged in as root when you ran that script manually?


Also, what version of macOS are you on? It looks like there’s some stuff particular to Catalina:


**Both of these tools will not remove the new *.systemextension type in macOS 10.15 Catalina . They will prompt you to use the product’s uninstall menu. Use the Uninstall choice from client menu instead. See SEP example pictured below. You may run RemoveSymantecMacFiles afterward. Or, if the uninstall menu choice is not available, you can manually remove the “/Library/Application Support/Symantec” directory and the removal tool will run. **


Let me check with our Mac expert and see if he has any ideas of what might be going awry.

Badge

Does this code work for the CrowdStrike Falcon Sensor? When I tried installing the program using GUI, it asks for an installation token. Where do I put the installation token in this code? Any help or suggestions will be much appreciated.

Badge

Does this code work for the CrowdStrike Falcon Sensor? When I tried installing the program using GUI, it asks for an installation token. Where do I put the installation token in this code? Any help or suggestions will be much appreciated.

The customer id (CID) is where you put your token

Badge

I have a customer ID and a sensor installation token. CID is where I placed the customer ID but I don’t know where I put the sensor installation token. Is that a separate line code for sensor installation token?

Reply