Guru's Verification engine ensures consistency, confidence, and trust in the knowledge your organization shares. Learn more.

CrowdStrike | Windows Install

  1. Download the CrowdStrike installer file
  2. Copy your Customer ID checksum (from your Customer Reference Card)
  3. Run the installer via one of these three methods:
    1. Double-click the EXE
    2. Run via the command-line on each host
    3. Configure your deployment tool to use this command (it is a single line):
WindowsSensor.MaverickGyr.exe /install /quiet /norestart CID={from step 2}
  1. Using the CLI install method, you can assign one or more tags to a computer using the GROUPING_TAGS parameter during installation.
    1. Assigning tags at this point makes them immediately available when the sensor first connects to the CrowdStrike cloud.
    2. In the below command, office and field are examples and can be changed to any useful tag to help identify computers.
WindowsSensor.MaverickGyr.exe /install /quiet /norestart CID={from step 2} GROUPING_TAGS="office,field"

Install Falcon Sensor to Windows via GPO

The recommended deployment option is to build an MSI and then deploy that through a GPO from the Domain Controller, but w/ Falcon sensor ease of installation, setting up a PowerShell installer script works quite well. Several of our customers have this script running successfully, and members in the CrowdStrike community agree with the deployment process.

The script essentially checks if the CrowdStrike folder exists, and if not, it will remotely push/install the sensor. The FilePath should also be able to accept the NextCloud link so the customer will not need to constantly download the 

#Script to install falcon exe via GPO$folder = 'C:\Program Files\CrowdStrike'if (-not (Test-Path -Path $Folder))    {    start-process -FilePath "\\servername\software\WindowsSensor.MaverickGyr.exe" -ArgumentList '/install /quiet /norestart CID=<insert CID>'    }else { }

Verify Installation Completed

There are multiple ways to verify that the installation has completed.

Verify via Command Line

  1. Open a command prompt with administrative privileges on the host. Run this command:
sc.exe query csagent
  1. The following output is displayed if the sensor is running:
SERVICE_NAME: csagentTYPE               : 2  FILE_SYSTEM_DRIVERSTATE              : 4  RUNNING                       (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)WIN32_EXIT_CODE    : 0  (0x0)SERVICE_EXIT_CODE  : 0  (0x0)CHECKPOINT         : 0x0WAIT_HINT          : 0x0

Installing in a virtual environment

When you install the sensor on a VM, use the correct installation method to ensure that each host ends up with a unique agent ID (AID). If the same AID is inadvertently assigned to more than one VM, events and detections from your various VMs would appear to be from a single host.

Use the VDI=1 parameter during installation if your VM meets all of the following criteria:

  • It is non-persistent (the VM reverts to the original setup after a user logs out)
  • It is domain-joined
  • It uses a fully qualified domain name (FQDN)

For VMs that don’t meet all of those criteria, use the Virtual Machine Template installation.

Installing the Falcon sensor in a VDI environment

When you install the sensor in a Virtual Desktop Infrastructure (VDI) environment, the sensor runs from a shared, read-only OS image. The CrowdStrike cloud assigns a unique AID based on the host's fully qualified domain name (FQDN) and other characteristics.

To install the Falcon sensor for Windows on your VDI master image:

  1. Put your image template system into read/write mode.
  2. Install the Falcon sensor using the VDI=1 parameter.
    1. <installer_filename> /install CID=<CCID> VDI=1
    2. Replacing <installer_filename> with the name of the install file you downloaded, and <CCID> with the CCID from Host setup and management > Deploy > Sensor downloads.
    3. After the installation is complete, the sensor communicates with the cloud and updates to the sensor version defined in the host’s assigned Sensor Update policy. You can check the update status by finding the host in Host Management.
  3. After the sensor is on the proper version, switch your template system back to read-only mode and save the image.

Installing the Falcon sensor on a virtual machine template

Use a virtual machine template when your virtual hosts are built off of an image, or a template is being cloned.

Do not use a standard installation on a virtual machine. If you perform a standard install on a template, all VMs created from that template will be assigned the same Agent ID (AID). If the same AID is inadvertently assigned to more than one VM, events and detections from your various VMs would appear to be from a single host.

Installing the sensor on a VM template

  1. Complete all steps required to generalize the VM template, such as sysprep or installing Windows and software updates.
  2. Install the Falcon sensor using the NO_START=1 parameter:
    WindowsSensor.exe /install CID=<YOUR CID> NO_START=1
    1. After installation, the sensor does not attempt to communicate with the CrowdStrike cloud.
    2. Don't reboot the host, or it will attempt to communicate with the CrowdStrike cloud on reboot.
  3. Confirm that the installation is complete.
  4. Shut down the VM and convert it to a template image.

Troubleshooting VM templates

When a VM created from this template first starts up, the CrowdStrike cloud assigns it a unique AID.

After the sensor has been installed using the NO_START=1 parameter, if you inadvertently restart the VM template before you convert the VM to a template image, hosts created with that template will all share an AID. If the same AID is inadvertently assigned to more than one VM, events and detections from your various VMs would appear to be from a single host. You can resolve this by removing the following registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default\AG
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent\Sim\AG
Note: Having sensor tampering protection enabled will prevent you from removing these registry keys. To work around this, disable sensor tampering protection, remove the registry keys, and then re-enable sensor tampering protection.

Modifying a VM template

To modify a VM template that contains an existing sensor installation:

  1. Prepare your VM template.
  2. If sensor tampering protection is enabled, disable sensor tampering protection:
    1. On the Prevention Policies page, locate the sensor’s policy and click Edit Policy.
    2. In the Sensor Capabilities area, disable Sensor Tampering Protection.
    3. Click Save.
  3. Delete these registry values:
    1. HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default\AG
    2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSAgent\Sim\AG
  4. If needed, re-enable sensor tampering protection in the sensor’s prevention policy and click Save. The AID is removed from the VM template.
  5. Shut down the VM.
  6. Convert the VM to a template image using your virtualization software.

You must have Author or Collection Owner permission to create Guru Cards. Contact your team's Guru admins to use this template.