How to Deploy CrowdStrike Falcon Sensor Via Intune

CrowdStrike is a cloud-based next-generation antivirus, EDR (endpoint detection and response) solution. You can deploy CrowdStrike in your infrastructure via a single lightweight agent. This post will discuss how we can install CrowdStrike falcon agent / Sensor using Intune on Azure Ad joined devices.

Login to CrowdStrike Portal and download the agent. You can use find step-by-step instructions in the below article.
https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/

Prepare Intunewin Win32 App Format

Before adding a Win32 app to Microsoft Intune, you must prepare the app using the Microsoft Win32 Content Prep Tool. You use the Microsoft Win32 Content Prep Tool to pre-process Windows classic (Win32) apps.

Let’s first identify the command line to perform the silent installation or uninstallation of Windows CrowdStrike Sensor.

  • Installation Command – The CCID (CrowdStrike Customer ID) is required on the command line, CID can be found on the sensor download page of the CrowdStrike Console. You can contact your security admins for the info.
  • Uninstallation Command
  • Detection Method

Important – I would recommend performing manual testing to ensure scripts are properly executed before converting and uploading files in Intune.

Install CommandUninstall CommandDetection Method
<File name>.exe /install /quiet /norestart CID=<CCID>CsUninstallTool.exe /quietMSI Product Code or File Detection

Download the updated IntuneWinAppUtil.exe from GitHubRun IntuneWinAppUtil.exe file Run as administrator.

  • Please specify the source folder – Enter the folder that contains your application setup files. (For Example, C:\Users\JiteshKumar\Downloads\Source)
  • Please specify the setup file – Enter the setup file name (such as setup.exe or setup.msi) For Example – WindowsSensor.LionLanner.exe
  • Specify the output folder – Input the output folder to generate .intunewin file.
  • Do you want to specify catalog folder – Type N.

Note – Please wait a few minutes while running the Win32 Content Prep Tool. Once it generates the .intunewin file, the status indicates 100% at the bottom of the command prompt.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.1
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.1

Once the process completes, Browse to the output folder (For Example, C:\Users\JiteshKumar\Downloads\Output) to collect the Intune Win32 app deployment file.

Deploy CrowdStrike using Intune

Let’s follow the steps below to upload the Intunewin file for deploying CrowdStrike Windows Sensor to managed devices. Here’s how you can deploy CrowdStrike using Intune Portal.

  • Sign in to the Microsoft Intune admin center https://endpoint.microsoft.com/ with appropriate access rights.
  • Select Apps > All apps > Add, or you can navigate to Apps > Windows > Windows Apps.
  • On the Select app type pane, select Windows app (Win32) under the Other app types and click Select.
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.2
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.2

On the Add app pane, click Select app package file. Select the browse button. Then, select the prepared file with the extension .intunewin. The app details appear. When you’re finished, select OK on the App package file pane.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.3
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.3

Enter the Name of the Windows App Win32 (For Example, CrowdStrike Sensor or CrowdStrike Falcon Sensor), and Enter the Description of the Windows App.

Enter the Publisher name – CrowdStrike, and You may specify the additional app information here. Upload an icon for the app. This icon is displayed with the app when users browse the company portal and click Next.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.4
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.4

The most important part is to specify the commands. On the Program, configure the app installation and removal commands for the app:

  • Install base: Add the complete installation command line to silent install CrowdStrike.
  • Uninstall command: Add the uninstallation command line for CrowdStrike.
  • Install behavior: Set the install behavior to System.

You can also specify the Device restart behavior and Post-installation behavior. Click Next to continue.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.5
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.5

On the Requirements page, specify the mandatory requirements that devices must meet before installing the update and click Next.

  • Operating system architecture: Choose the architectures needed to install CrowdStrike Sensor.
  • Minimum operating system: Select the minimum operating system needed to install CrowdStrike Sensor.

There are some built-in and custom requirements rules when creating your Win32 application. Explore Intune Win32 App Requirement Rules.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.6
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.6

On the Detection rules pane, configure the rules to detect the presence of the app. You can choose to add multiple rules.

Here I selected the Manually configure detection rules format. Click on Add button, and A popup will appear showing the Detection rule. This detection rule format provides three detection rules MSIFile, and Registry.

Here you can check the registry path for the applications. Most apps are installed in the same location depending on the app architecture – Detection Method for Intune Win32 App. For this time, we are going to use the below as a detection rule. 

  • On the detection rule, select “Manually configure detection rules and Rule type Register”
Intune Detection Rule

Path : C:\Program Files\CrowdStrike
File or folder : CSFalconController.exe

You can also specify app dependencies where the applications must be installed before your Win32 app can be installed.

In the scope tag section, you shall get an option to Configure scope tags for this Windows App Win32 application.

Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups to which you want to deploy the Windows Update. Click Next to continue.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.7
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.7

You will see the details you provided during the application creation process. Review your settings and select Create to add the app to Intune.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.8
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.8

Once you proceed to create, you will see the status Uploading is in progress, If you thinking about how much time will it take to complete the upload? It depends on the size of the application and the speed of internet connectivity.

Please wait some time to complete the upload process, and you can check the progress by clicking on the Notification icon. Once the intune package is uploaded and finished, you will get the status “Upload finished.”

End Users Experience – Intune Company Portal

Your groups will receive targeted application when the devices check in with the Intune service the policy applies to the device.

On the client machine, In the Company Portal, You can click on the apps to track the details and check the progress. Here you can see the CrowdStrike Falcon Sensor is installed successfully.

Deploy CrowdStrike Using Intune Application Deployment Guide Fig.9
Deploy CrowdStrike Using Intune Application Deployment Guide Fig.9

Monitor CrowdStrike Windows Sensor Deployment

Once the application installation starts, the “Detection rule” will be evaluated. Checks were performed against the rules configured and the app “Install command” will be triggered.

You can track the details logged at IntuneManagementExtension.log located C:\ProgramData\Microsoft\IntuneManagementExtension\Log. You track the application activity in client devices. You can get through an excellent article on Intune Win32 App Issues Troubleshooting for more details.

Validate CrowdStrike Installation Status from Control Panel

To check if the CrowdStrike Application has been Installed Successfully. You can open Control Panel > Programs and Features to check if CrowdStrike Windows Sensor is Installed. You have successfully deployed CrowdStrike using Intune.

Validate CrowdStrike Installation Status from Control Panel Fig.11
Deploy CrowdStrike using Intune – Validate CrowdStrike Installation Status from Control Panel Fig.11

Troubleshooting Win32 App References

For troubleshooting Intune client-side events, you can refer to three logs incase you experience any issue while deploying CrowdStrike using Intune.

  • IntuneManagementExtension.log: Tracks the Intune Management extension component events.
  • AgentExecuter: Track any PowerShell execution events.
  • ClientHealth.log:  Track client-health related events.

Ref: Deploy CrowdStrike Using Intune EXE Deployment Guide HTMD Blog (anoopcnair.com)

Deploy CrowdStrike Falcon Agent Using Intune (usmanghani.co)