This article leads you through the steps on how to install and deploy the CrowdStrike sensor via Microsoft InTune. Follow the procedure from beginning to end.
Step 1: CrowdStrike Falcon–Download the Crowdstrike Sensor
The CrowdStrike Falcon Sensor for Windows is available for download directly within the Falcon Console.
- In your Crowdstrike console, click the Menu icon, and then click Host setup and management.
- Click Sensor downloads.
Take note of your Customer ID. This identifier is unique to your organization and is required during deployment to link each individual sensor deployed to your individual instance of CrowdStrike Falcon.
Step 2: CrowdStrike Falcon–Download the Falcon Uninstall Tool (optional)
Use Microsoft InTune to create a software package to install and remove the Falcon sensor.
Note: If you do not wish to use the same package for both installation and removal, continue on to Step 3.
The Windows Sensor uninstall tool is available for download directly within the Falcon Console.
- Navigate to Support and resources, and then click Tool downloads.
- Scroll to the bottom of the page, and then click the ICON_TRASH icon for the Falcon Windows Sensor Uninstall Tool.
Step 3: GitHub–Compress and Archive the exe files into .intunewim
- Navigate to the Microsoft GitHub home page, and then click Go to file.
- To download the required tool, click Microsoft Win32 Content Prep Tool, and then click Download.
- Place both the Falcon Sensor and the Uninstall Tool file into one dedicated folder. (e.g., *Desktop\Falcon\FalconSensor.exe, *Desktop\Falcon\CSUninstallTool.exe).
Note: The entire contents of the selected folder will be archived. - Open the Command Prompt, and then run IntuneWinAppUtil.exe.
- Enter the following prompts:
-
Source folder: The folder housing the Falcon Sensor and Uninstall Tool executables
-
Setup file: The Falcon Sensor executable file (only the Falcon Sensor itself, not the Uninstall Tool)
-
Output folder: Location where the .intunewim file will be saved
-
Specify catalog folder: This should be marked N, it is only needed when deploying software to an endpoint running Windows 10 S mode
-
- Once completed, you will find the new .intunewim file in the folder you specified in Step 3.3.
Step 4: Microsoft Intune–Configure the Sensor Package within Microsoft Intune
- From the InTune homepage, click Apps.
- Click All Apps, and then click Add.
- From the App type dropdown, click Windows app (Win32).
-
Click the App package file you created in the previous step.
Note: In the following tabs you only need to complete the fields highlighted with a *. However, you should follow your organization’s software deployment procedures.
- Under the App information section, enter a Name for the sensor package.
- Enter a Publisher for the sensor package.
- Click Next.
- Enter the Install Command and Uninstall Command.
-
The default command for installation is: <installer_filename> /install /quiet /norestart CID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-XX
-
The default command for uninstall is: CsUninstallTool.exe /quiet
-
- From the Install behavior section, click System. This action executes the installation with administrative rights.
- From the Device Restart Behavior dropdown, select No Specific Action. The Falcon Sensor does not require a reboot upon deployment.
- Leave Return Codes as default.
- Click Next.
Note: For more information on the installation, uninstall, or general workings of the Falcon Sensor, please reference the Falcon Sensor for Windows guide located within the Falcon Platform at Support Documentation Falcon Sensor for Windows. - Select the appropriate options for Operating System Architecture and Minimum Operating System.
- Click Next.
- From the Rules format dropdown, select Manually configure detection rules.
- Click +Add.
- From the Rule type dropdown, select File.
- From the Path dropdown, select C:\Program Files\CrowdStrike.
- From the File or Folder dropdown, select CSFalconController.exe.
- From the Detection Method dropdown, select File or Folder Exists.
- Click Ok.
- Click Next.
Note: The Dependencies and Supersedence settings are not required and can be skipped by clicking Next. - Click Required and choose to add an individual Asset Group or All Users.
Note: This will force install the sensor on all included endpoints. - Review the sensor setting and click Next.
Note: Once confirmed, the .intunewim file will be uploaded to Microsoft Intune and you will be notified in Microsoft Intune when the app is ready. The Sensor will be pushed to the endpoints automatically upon the next Intune Sync cycle. You can also choose to manually initiate a Sync.
Comments
0 comments
Please sign in to leave a comment.