In this post, you will learn how to deploy CrowdStrike using Intune. CrowdStrike Falcon Sensor is the next-gen antivirus that protects against all types of attacks, from commodity malware to sophisticated attacks, even when offline.
CrowdStrik platforms rely on a cloud-hosted SaaS solution to manage policies and respond to threats. It can be run on each endpoint even if they are not connected to the cloud.
CrowdStrike Falcon delivers security and IT operations capabilities, including IT hygiene, vulnerability management, and patching. CrowdStrike has redefined security with the world’s most advanced cloud-native platform that protects and enables the people, processes, and technologies that drive modern enterprise.
CrowdStrike secures the most critical areas of enterprise risk – endpoints and cloud workloads, identity, and data – to keep organizations ahead of today’s adversaries and stop breaches. It has been certified by independent third parties as an AV replacement solution.
Download the CrowdStrike Sensor installer from the Offical website. CrowdStrike Falcon agent can be installed on Windows, Mac, or Linux platforms. If you’d like to get access to the CrowdStrike Falcon, get started with the Free Trial.
- Uninstall Application using Intune MEM Portal
- Windows 10 MDM Log Checklist – Ultimate Help Guide for ITPro
Prepare Intunewin Win32 App Format
Before adding a Win32 app to Microsoft Intune, you must prepare the app using the Microsoft Win32 Content Prep Tool. You use the Microsoft Win32 Content Prep Tool to pre-process Windows classic (Win32) apps.
Let’s first identify the command line to perform the silent installation or uninstallation of Windows CrowdStrike Sensor.
- Installation Command – The CCID (CrowdStrike Customer ID) is required on the command line, CID can be found on the sensor download page of the CrowdStrike Console. You can contact your security admins for the info.
- Uninstallation Command
- Detection Method
Important – I would recommend performing manual testing to ensure scripts are properly executed before converting and uploading files in Intune.
|Install Command||Uninstall Command||Detection Method|
|<File name>.exe /install /quiet /norestart CID=<CCID>||CsUninstallTool.exe /quiet||MSI Product Code or File Detection|
Download the updated IntuneWinAppUtil.exe from GitHub. Run IntuneWinAppUtil.exe file Run as administrator.
- Please specify the source folder – Enter the folder that contains your application setup files. (For Example, C:\Users\JiteshKumar\Downloads\Source)
- Please specify the setup file – Enter the setup file name (such as setup.exe or setup.msi) For Example – WindowsSensor.LionLanner.exe
- Specify the output folder – Input the output folder to generate .intunewin file.
- Do you want to specify catalog folder – Type N.
Note – Please wait a few minutes while running the Win32 Content Prep Tool. Once it generates the .intunewin file, the status indicates 100% at the bottom of the command prompt.
Once the process completes, Browse to the output folder (For Example, C:\Users\JiteshKumar\Downloads\Output) to collect the Intune Win32 app deployment file.
Deploy CrowdStrike using Intune
Let’s follow the steps below to upload the Intunewin file for deploying CrowdStrike Windows Sensor to managed devices. Here’s how you can deploy CrowdStrike using Intune Portal.
- Sign in to the Microsoft Intune admin center https://endpoint.microsoft.com/ with appropriate access rights.
- Select Apps > All apps > Add, or you can navigate to Apps > Windows > Windows Apps.
- On the Select app type pane, select Windows app (Win32) under the Other app types and click Select.
On the Add app pane, click Select app package file. Select the browse button. Then, select the prepared file with the extension .intunewin. The app details appear. When you’re finished, select OK on the App package file pane.
Enter the Name of the Windows App Win32 (For Example, CrowdStrike Sensor or CrowdStrike Falcon Sensor), and Enter the Description of the Windows App.
Enter the Publisher name – CrowdStrike, and You may specify the additional app information here. Upload an icon for the app. This icon is displayed with the app when users browse the company portal and click Next.
The most important part is to specify the commands. On the Program, configure the app installation and removal commands for the app:
- Install base: Add the complete installation command line to silent install CrowdStrike.
- Uninstall command: Add the uninstallation command line for CrowdStrike.
- Install behavior: Set the install behavior to System.
You can also specify the Device restart behavior and Post-installation behavior. Click Next to continue.
On the Requirements page, specify the mandatory requirements that devices must meet before installing the update and click Next.
- Operating system architecture: Choose the architectures needed to install CrowdStrike Sensor.
- Minimum operating system: Select the minimum operating system needed to install CrowdStrike Sensor.
There are some built-in and custom requirements rules when creating your Win32 application. Explore Intune Win32 App Requirement Rules.
On the Detection rules pane, configure the rules to detect the presence of the app. You can choose to add multiple rules.
Here I selected the Manually configure detection rules format. Click on Add button, and A popup will appear showing the Detection rule. This detection rule format provides three detection rules MSI, File, and Registry.
Here you can check the registry path for the applications. Most apps are installed in the same location depending on the app architecture – Detection Method for Intune Win32 App. For Example, Here, Check for registry value string equals.
You can also specify app dependencies where the applications must be installed before your Win32 app can be installed.
In the scope tag section, you shall get an option to Configure scope tags for this Windows App Win32 application.
Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups to which you want to deploy the Windows Update. Click Next to continue.
You will see the details you provided during the application creation process. Review your settings and select Create to add the app to Intune.
Once you proceed to create, you will see the status Uploading is in progress, If you thinking about how much time will it take to complete the upload? It depends on the size of the application and the speed of internet connectivity.
Please wait some time to complete the upload process, and you can check the progress by clicking on the Notification icon. Once the intune package is uploaded and finished, you will get the status “Upload finished.”
- Intune Company Portal App for Windows 11 Android | Install and Uninstall
- 32 Privacy Settings for Windows 11 | 99 Intune Privacy Settings Policies
End Users Experience – Intune Company Portal
Your groups will receive targeted application when the devices check in with the Intune service the policy applies to the device.
On the client machine, In the Company Portal, You can click on the apps to track the details and check the progress. Here you can see the CrowdStrike Falcon Sensor is installed successfully.
Monitor CrowdStrike Windows Sensor Deployment
Once the application installation starts, the “Detection rule” will be evaluated. Checks were performed against the rules configured and the app “Install command” will be triggered.
You can track the details logged at IntuneManagementExtension.log located C:\ProgramData\Microsoft\IntuneManagementExtension\Log. You track the application activity in client devices. You can get through an excellent article on Intune Win32 App Issues Troubleshooting for more details.
Where is the folder where Intune downloads the applications before it installs on a Windows device? Intune cache folder location, Below are the 3 Intune Management Extension Agent working folders. We will go through the purpose of these folders in detail.
To monitor the application installation from Intune Portal, select the application, and here you can check the device and user check-in status. If you click on Device install status, additional details are displayed.
Validate CrowdStrike Installation Status from Control Panel
To check if the CrowdStrike Application has been Installed Successfully. You can open Control Panel > Programs and Features to check if CrowdStrike Windows Sensor is Installed. You have successfully deployed CrowdStrike using Intune.
Troubleshooting Win32 App References
For troubleshooting Intune client-side events, you can refer to three logs incase you experience any issue while deploying CrowdStrike using Intune.
- IntuneManagementExtension.log: Tracks the Intune Management extension component events.
- AgentExecuter: Track any PowerShell execution events.
- ClientHealth.log: Track client-health related events.
Let’s learn Intune Win32 App Troubleshooting Client-Side Process Flow. You can look at the Level 3 deep dive troubleshooting Intune Management Extension (IME) Level 3 Troubleshooting Guide.