Installing the CrowdStrike Falcon Sensor for Windows

 

Installing the CrowdStrike Falcon Sensor for Windows

NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned device will place the device under Duke policies and under Duke control.

You can install the CrowdStrike Falcon Sensor for Windows completing these steps.

  1. Download the latest Falcon Sensor installer from Duke Software Licensing or Duke OIT SSI OneGet (accessible only from Duke network).

  2. Run the installer, accepting the license agreement and entering the appropriate "Customer ID with Checksum" (available from the link below) when prompted.

After installation, the sensor runs silently with no visible user interface.

Verifying sensor installation

To validate that the Falcon sensor for Windows is running on a host, run this command at a command prompt:

sc.exe query csagent

The following output will appear if the sensor is running:

SERVICE_NAME: csagent
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                       (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

If you do not see output similar to this, please see Troubleshooting the CrowdStrike Falcon Sensor for Windows.

Advanced Installation Options

Tamper Protection and Uninstalling the Falcon Sensor

Duke's CrowdStrike Falcon Sensor for Windows policies have Tamper Protection enabled by default. With Tamper Protection enabled, the CrowdStrike Falcon Sensor for Windows cannot be uninstalled or manually updated without providing a computer-specific "maintenance token". If you need a maintenance token to uninstall an operating sensor or to attempt an upgrade to a non-functional sensor, please contact your Security Office for assistance.

Automated installation

To automate silent installations using the installer and customer ID from above, use the following command:

<installer_filename> /install /quiet /norestart CID=<Customer ID with Checksum>

Configuring a proxy

By default, the Falcon sensor for Windows automatically attempts to use any available proxy connections when it connects to the CrowdStrike cloud. If your hosts do not have a system-wide proxy configured, use the APP_PROXYNAME and APP_PROXYPORT parameters to allow the Falcon sensor to reach the Internet:

<installer_filename> /install CID=<Customer ID with Checksum> APP_PROXYNAME=<proxy FQDN or IP> APP_PROXYPORT=<Proxy server port>

Computers on the Duke University network can use proxy-sec.oit.duke.edu:3128, which only allows proxy connections to Duo and CrowdStrike servers.

Preparing a host as a master image/template

If you're preparing a host as a "master" device for cloning or virtualization, you must install the software using the NO_START parameter so that it does not start before capturing your image.

<installer_filename> /install CID=<Customer ID with Checksum> NO_START=1

After installation, the sensor will not attempt to communicate with the CrowdStrike cloud and will therefore not be assigned an Agent ID. DO NOT REBOOT THE HOST! It will attempt to communicate with the CrowdStrike cloud on reboot. Instead, shut down the host and capture your image or convert it into a template.

Need assistance?

If you have questions or issues that Troubleshooting the CrowdStrike Falcon Sensor for Windows doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.

Article number: KB0035334

Valid to: November 13, 2024