Deploy CrowdStrike Falcon Sensor with Intune

Intune, Windows / By / May 16, 2024

Last updated on May 16th, 2024 at 03:03 pm

This post walks through how to deploy the CrowdStrike Falcon Sensor for Windows using Intune. First, download the CrowdStrike Falcon Sensor executable from your CrowdStrike portal. You’ll also need the Customer ID (sometimes referred to as the CCID or CID). The Customer ID is different than the Installation token. Make sure you are copying the customer ID, since this is necessary for our silent install syntax. If we launch the exe with /help, we can see the following command line install options:

We want to use the following switches: /install /quiet and /norestart. In addition to this, we also want to specify our CID. So, our install command will look like this:

WindowsSensor.MaverickGyr.exe /install /quiet /norestart CID=<customer ID>

If you need to use an installation token, we need to add ProvToken=<installtoken> at the end of the command. So, it would look like this:

WindowsSensor.MaverickGyr.exe /install /quiet /norestart CID=A1B2C3D4E5F6G8 ProvToken=12341234

This should be pretty straightforward if you’ve ever packaged a Win32 app before. Download the Win32 content prep tool if you don’t already have it. Next, place the CrowdStrike exe installer in a folder with no other files. Run the Win32 content prep tool, specify that directory, the exe as the install file, and the destination for the .intunewin file:

Next, log into Intune and add a new Windows Win32 app, and select the .intunewin file we just created and complete the required app information:

For our install command, we will use the string we mentioned above (WindowsSensor.MaverickGyr.exe /install /quiet /norestart CID=<customer ID>). We won’t provide an uninstall command since a unique maintenance token is required for removal. Removal can also be performed from the CrowdStrike dashboard.

Complete your requirements and when we get to the detection rules, I’ll use a powershell script that checks to see if the CrowdStroke Falcon service is installed:

$CS = Get-Service "CSFalconService" -ErrorAction SilentlyContinue
If ($CS) {
Write-Output "CS is installed"
exit 0
}
Else {
Write-Output "CS is not installed"
exit 1
}

For reference, this is how the service appears in Windows and the path to the service executable:

Finish the package creation by deploying to your devices. The app should begin deploying the next time devices check-in 🙂

Related Posts