Deploy CrowdStrike Falcon Agent Using Intune

CrowdStrike is a cloud-based next-generation antivirus, EDR (endpoint detection and response) solution. You can deploy CrowdStrike in your infrastructure via a single lightweight agent. In this post, we will discuss how we can install CrowdStrike falcon agent / Sensor using Intune on Azure Ad joined devices.

CrowdStrike Intune

  • Use the following code in Install.cmd. You should use your own CID (Customer ID)

@ECHO OFF
SET ThisScriptsDirectory=%~dp0

WindowsSensor.LionLanner.exe /install /quiet /norestart CID=02A1C79U38044E2XXXXXXX-FA

CrowdStrike Falcon Agent Install Switches

CID= Customer ID Checksum, which is required when installing.
MAINTENANCE_TOKEN= Bulk Maintenance Token is retrieved from the CrowdStrike site when performing upgrades.
/install Install the sensor (default).
/passive The installer shows a minimal UI with no prompts.
/quiet The installer shows no UI and no prompts.
/norestart Prevents the host from restarting at the end of the sensor installation.

 

  • Now create an Intune package using Intune Packaging App. (Change source path and destination folder path)

PS C:\IntuneAppsWinAppsUtil> .\IntuneWinAppUtil.exe

           Please specify the source folder: C:\CrowdStrike
           Please specify the setup file: Install.cmd
           Please specify the output folder: C:\CrowdStrike
           Do you want to specify catalog folder (Y/N)?N

Install CrowdStrike Intune

  • Select App Package file which we created earlier.

CrowdStrike Sensor Intune

  • Add app information such as Name & Publisher

Crowdstrike Deployment Intune

  •  Specify the commands to install and uninstall this app

Intune CrowdStrike Installation

  • Select both OS system architecture and minimum OS to Windows 10 1607

Falcon Agent Intune

  •  On detection rule, select “Manually configure detection rules and Rule type Register”

Intune Detection Rule

Path : C:\Program Files\CrowdStrike
File or folder : CSFalconController.exe

  • Assign to the group you want to deploy printer using Intune.

 

 

6 Comments
  1. law says

    Doesn’t work, did you test this?

    1. Usman says

      Yes, It’s working on all Windows machines joined to Azure AD.

      1. Kiefer says

        What did you put for Uninstall command?

        /uninstall /quiet /norestart ???

  2. Lelo says

    do you have a detection method for versions of crowdstrike?

  3. Saqib says

    Slight enhancement to this, if you download the uninstall tool (CsUninstallTool.exe) from Crowdstrike and place the file in the same directly before you package it all up, you can mark the uninstall command as:

    CsUninstallTool.exe /quiet

    And as long as you have uninstall protection removed from the device, the uninstall process from Intune will run and remove the agent successfully, tested this recently.

  4. Brian says

    The Install.cmd file should look like this:

    @ECHO OFF
    SET ThisScriptsDirectory=%~dp0

    WindowsSensor.LionLanner.exe /install /quiet /norestart CID=02A1C79U38044E2XXXXXXX-FA

    The above instructions have the CID on a separate line. It needs to be on the same line as the exe.

Leave A Reply

Your email address will not be published.