Skip to main content

CrowdStrike Falcon Protection (Windows EXE)

Description

Needing to deploy to Crowdstrike Falcon antivirus to your Windows fleet? FileWave has you covered.

CrowdStrike's flagship product is called Falcon, which is a cloud-native platform that combines next-generation antivirus, endpoint detection and response (EDR), threat intelligence, and proactive threat hunting. Falcon aims to provide real-time visibility into endpoint activity, rapid threat detection, and automated response to security incidents.

Ingredients

Directions

Deploying the Crowdstrike Falcon to your devices

CrowdStrike deployment for Windows devices has one Fileset. This Fileset includes a placeholder for your EXE installer with template launch arguments.

The Fileset included has a placeholder for your EXE installer. Be sure to replace with your EXE installer provided by CrowdStrike.

CrowdStrike Windows Installation.fileset.zip

WindowsCrowdstrikeContents.png

Customizing the Installation EXE

Editing the Fileset EXE

 

  1. Highlight the CrowdStrike Windows Installation Fileset
  2. Double-Click to open the Fileset Contents
  3. Upload your EXE installer into the Installer folder
  4. Remove the placeholder file after your EXE installer has been uploaded successfully
  5. Highlight and select your uploaded .exe file.
  6. Click on 'Get Info'
 WindowsCrowdstrikeGetInfo.png

Enter in your CrowdStrike EXE installer switches/parameters and license code

 

  1. Select the tab 'Executable.'
  2. Check the box for 'Execute once when activated'
  3. Check the box for 'Wait for executable to finish' and choose 5 Minutes
  4. Under the tab 'Launch Arguments' enter in the CLI switches to ensure proper installation; please review below for the complete list of EXE installer switches and parameters
  5. Click the Apply to save your changes to the Launch Arguments
  6. Close the Get Info Window to save your changes.
 WindowsCrowdstrikeLaunchArguments.png

Please Note: Launch Argument NO_START=1 is intended if the desired outcome if you want CrowdStrike to start after the first reboot post-install. If not, remove NO_START=1 from the Launch Argument list.

Crowdstirke CLI switches

These CLI switches not case senstive:

Switch Required Purpose
/install Yes Installs the CrowdStrike Falcon Sensor.
/passive No The installer shows a minimal UI with no prompts.
/quiet No Suppresses UI and prompts.
/norestart No Prevents the host from restarting after installation.
/log No Changes the default installation log directory from %Temp% to a new location. The new location must be contained in quotation marks ("").

Crowdstrike CLI parameters

These parameters are case senstive:

Parameter Value Required Purpose
CID= CID license Yes Uses customer identification (CID) to associate sensor to CrowdStrike Falcon Console.
NO_START= 0 (Default) No Starts the sensor immediately after installation.
NO_START= 1 No Prevents the sensor from starting after installation. The next time the host boots, the sensor is assigned an agent ID (AID).
VDI= 1 No Configures sensor for a virtual desktop infrastructure (VDI) environment. Updates AID after system initialization.
APP_PROXYNAME= proxy.domain.com No Configures sensor to use a proxy connection. Cannot be used with PACURL=.
APP_PROXYPORT= 1234 No Specifies APP_PROXYPORT= port.
PACURL= See Examples No Configures a proxy connection using a PAC file. Cannot be used with either APP_PROXYNAME or APP_PROXYPORT.
PROXYDISABLE= 0 (Default) No Attempts to connect to CrowdStrike Falcon Console using any available proxy connections.
PROXYDISABLE= 1 No The parameter ignores any automatic proxy connection.
ProvNoWait= 0 (Default) No The parameter uninstalls the sensor if unable to connect to CrowdStrike Falcon Console within 10 minutes.
ProvNoWait= 1 No The parameter prevents uninstall if unable to connect to CrowdStrike Falcon Console.

Creating a Fileset Group

Keeping your Filesets organized is good practice, especially if there are multiple Filesets for software deployment or organziation based on specific platform of deployment.

You may create a New Fileset Group, label it CrowdStrike Falcon (Windows 2023), and move the Fileset you created into this Group. Then associate the Fileset Group labeled CrowdStrike Flacon (Windows 2023) to your devices versus individual Filesets.

When ready, associate the Fileset Group labeled CrowdStrike Falcon (Windows 2023) to a few devices as a test. This is to verify and confirm that the software is installed properly based on your license code configured.

For best practice, always test a few devices before mass deployment.

FileWave Custom Fields to validate installation

Monitoring the CrowdStrike Falcon Sensor through FileWave custom fields helps ensure endpoint protection remains active and compliant. By validating that the Falcon service is running and reporting the installed sensor version, administrators can quickly detect inactive or outdated agents that may leave devices exposed. This custom fields includes both macOS and Windows.

ExampleCrowdStrikeCF.png

Sensor State Output Value
Installed Installed | version_number
Not Installed Not Installed

Related Content

Michael Engelsen
Michael Engelsen  commented 1 year ago
#1

The NO_START=1 launch argument is causing problems (preventing the CrowdStrike sensor service from starting). I removed this (1) launch argument. The exe install is (now) working as-expected.

Josh Levitsky
Josh Levitsky  commented 1 year ago
#2

In reply to #1

Hi Michael. I think you'll find NO_START=1 just makes it not run until the next reboot. I suppose it could be desired to have that behavior but probably more for installing it in to an image. Maybe we should mention that and edit the template though.

No comments to display

Back to top