Deploy CrowdStrike on Windows

This is to deploy the CrowdStrike Windows agent in your environment. You’ll need the CrowdStrike installer, WindowsSensor.exe, which you can download from your CrowdStrike console. You’ll also need your Customer ID from the console.

Remediation code:

.\WindowsSensor.exe /install /quiet /norestart CID=<checksummed customer ID>

Upload the WindowsSensor.exe file to the worklet, and put your CID in the CID flag section.

If you have any issues getting the installer to work, you can add the flag ProvNoWait=1 which skips the requirement for the agent to make contact with the CrowdStrike console within 10 minutes, after which time the agent removes itself if it fails to make contact. Note that installing CrowdStrike over the top of another AV requires some extra steps as detailed in this article:

There’s no evaluation code on this worklet, so to run it you select the worklet from the System Mgmt page and click on Exectue Now to deploy the agent.

1 Like

Hey Nic,

Thank you for this! As a new customer of both CS and Automox, we’re excited to see these sort of cross-play integrations. I would request that we actually have some meaningful evaulation code to either find if the agent is installed on the system or if the agent service is running. That way we can actively manage our fleet to make sure we’re staying in compliance, instead of just manually deploying the agent as we have it here.

Cheers.

Actually the first iteration of this was as a required software policy, which checks to see if the Crowdstrike agent is installed already:


so you could give that a try. In my testing it didn’t appear to cause any problems if you ran the installer on a machine that already has Crowdstrike installed. Using a required software policy will let you see which devices have completed the install and are in compliance with the policy. Let me know if that helps!

We will also be doing some more integration work between our software and Crowdstrike in the future, so stay tuned for that later in the year.

For anyone having issues with the install command above, here’s an alternate method that’s written in powershell syntax:

$proc = Start-Process WindowsSensor.exe -ArgumentList '/install /quiet /norestart CID=12345' -PassThru
Write-Output "Exit Code was $($proc.ExitCode)"
Exit $proc.ExitCode
1 Like

Related to this, is there a good way to remove a previous antivirus application? In our case we have Symantec installed currently that we want to remove and then deploy CrowdStrike in its place?

You could make a worklet to run the removal tool for Symantec, if it has one. Webroot has a list on their community (I used to work there :slight_smile: ):

Is there an example anywhere? There is a removal script from symantec but not sure how to get the worklet written correctly (running the script manually failed). https://knowledge.broadcom.com/external/article/151387/remove-symantec-software-for-mac-using-r.html

Were you logged in as root when you ran that script manually?

Also, what version of macOS are you on? It looks like there’s some stuff particular to Catalina:

**Both of these tools will not remove the new *.systemextension type in macOS 10.15 Catalina . They will prompt you to use the product’s uninstall menu. Use the Uninstall choice from client menu instead. See SEP example pictured below. You may run RemoveSymantecMacFiles afterward. Or, if the uninstall menu choice is not available, you can manually remove the “/Library/Application Support/Symantec” directory and the removal tool will run. **

Let me check with our Mac expert and see if he has any ideas of what might be going awry.