Deploy CrowdStrike Falcon Agent Using Intune
CrowdStrike is a cloud-based next-generation antivirus, EDR (endpoint detection and response) solution. You can deploy CrowdStrike in your infrastructure via a single lightweight agent. In this post, we will discuss how we can install CrowdStrike falcon agent / Sensor using Intune on Azure Ad joined devices.
- Login to CrowdStrike Portal and download the agent. You can use find step-by-step instructions in the below article.
https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/ - Once you have downloaded the agent. Copy in a folder and create a file Install.cmd
- Use the following code in Install.cmd. You should use your own CID (Customer ID)
@ECHO OFF
SET ThisScriptsDirectory=%~dp0WindowsSensor.LionLanner.exe /install /quiet /norestart CID=02A1C79U38044E2XXXXXXX-FA
CrowdStrike Falcon Agent Install Switches
| CID= | Customer ID Checksum, which is required when installing. |
| MAINTENANCE_TOKEN= | Bulk Maintenance Token is retrieved from the CrowdStrike site when performing upgrades. |
| /install | Install the sensor (default). |
| /passive | The installer shows a minimal UI with no prompts. |
| /quiet | The installer shows no UI and no prompts. |
| /norestart | Prevents the host from restarting at the end of the sensor installation. |
- Now create an Intune package using Intune Packaging App. (Change source path and destination folder path)
PS C:\IntuneAppsWinAppsUtil> .\IntuneWinAppUtil.exe
Please specify the source folder: C:\CrowdStrike
Please specify the setup file: Install.cmd
Please specify the output folder: C:\CrowdStrike
Do you want to specify catalog folder (Y/N)?N
- Login to https://endpoint.Microsoft.com and Select Apps
- Select all Apps and Click to Add. Select App Type to “Windows app (Win32)”
- Select App Package file which we created earlier.
- Add app information such as Name & Publisher
- Specify the commands to install and uninstall this app
- Select both OS system architecture and minimum OS to Windows 10 1607
- On detection rule, select “Manually configure detection rules and Rule type Register”
Path : C:\Program Files\CrowdStrike
File or folder : CSFalconController.exe
- Assign to the group you want to deploy printer using Intune.
Doesn’t work, did you test this?
Yes, It’s working on all Windows machines joined to Azure AD.
What did you put for Uninstall command?
/uninstall /quiet /norestart ???
do you have a detection method for versions of crowdstrike?
Slight enhancement to this, if you download the uninstall tool (CsUninstallTool.exe) from Crowdstrike and place the file in the same directly before you package it all up, you can mark the uninstall command as:
CsUninstallTool.exe /quiet
And as long as you have uninstall protection removed from the device, the uninstall process from Intune will run and remove the agent successfully, tested this recently.
The Install.cmd file should look like this:
@ECHO OFF
SET ThisScriptsDirectory=%~dp0
WindowsSensor.LionLanner.exe /install /quiet /norestart CID=02A1C79U38044E2XXXXXXX-FA
The above instructions have the CID on a separate line. It needs to be on the same line as the exe.
how to do you package up the install.cmd with the exe file?