Windows - Software Lifecycle - Download and Install Crowdstrike Sensor

What the CrowdStrike Falcon sensor deployer does

This Automox Worklet™ deploys the CrowdStrike Falcon sensor on Windows endpoints through direct API integration with the Falcon platform. The Worklet authenticates to the CrowdStrike API using OAuth2 client credentials, queries the /sensors/combined/installers/v1 endpoint for the latest Windows installer, downloads WindowsSensor.exe to the Automox Worklet cache, and runs the installer silently with your Customer ID (CID) baked in.

Four CrowdStrike regional clouds are supported: US-1 (api.crowdstrike.com), US-2 (api.us-2.crowdstrike.com), EU-1 (api.eu-1.crowdstrike.com), and US-GOV-1 (api.laggar.gcw.crowdstrike.com). The Worklet pulls the matching base URL from the crowdstrikeRegion shared secret, so the same policy can target any tenant without code edits. TLS 1.2 is set explicitly on the System.Net.ServicePointManager before any web call to satisfy the CrowdStrike API requirement.

Before remediation runs, the Worklet imports the Automox WDK module from ${ENV:ProgramFiles(x86)}\Automox\WDK\WDK.psm1 and calls Get-Win32App to look for an installed application matching the string Crowdstrike Windows Sensor. If the sensor is already present, evaluation exits 0 and the endpoint is marked compliant. If it is missing, evaluation exits 2 and the remediation script is scheduled to run.

The remediation function Install-CsSensor pulls the SHA256 hash of the latest installer, downloads it from /sensors/entities/download-installer/v1?id=<sha256>, and runs WindowsSensor.exe /install /quiet /norestart CID=<your-cid-with-checksum>. The process is monitored for up to 300 seconds. Exit codes 0, 3010, and 1641 are treated as success; 3010 and 1641 indicate a reboot is recommended. Any other exit code throws and the Worklet exits 89.

Why deploy CrowdStrike Falcon at fleet scale

EDR coverage is a binary property of an endpoint until it is not. A laptop with no sensor is invisible to Falcon's prevention and detection policies, which means every dwell-time and mean-time-to-respond metric in the security stack assumes a fleet that is already fully instrumented. Consider a workstation that drops off the sensor inventory, a server stood up from a base image that predates the rollout, or a contractor laptop that joined after the initial deployment wave. Any one of these creates a blind spot that no console alert will surface. Manual installer distribution does not scale past a few hundred endpoints, and storing sensor binaries on network shares creates a parallel supply-chain problem of its own.

A Windows endpoint without the Falcon sensor is invisible to the rest of your detection stack, and the gaps that drive a CrowdStrike deployment are usually the long tail of contractor laptops, kiosk machines, and refurbished images that never see the Configuration Manager onboarding task. This Worklet pulls the current Falcon installer directly from CrowdStrike, registers each endpoint to your tenant with the CID you specify, and reports the CSAgent service state back to Automox so the next evaluation confirms the sensor stayed installed.

How Falcon sensor deployment works

1. Evaluation phase: The Worklet imports the Automox WDK module from ${ENV:ProgramFiles(x86)}\Automox\WDK\WDK.psm1, then runs Get-Win32App | Where-Object { $_.Name -Match 'Crowdstrike Windows Sensor' }. A match exits 0 and marks the endpoint compliant. No match exits 2 and schedules remediation. The evaluation step never modifies the endpoint, so it is safe to run on a recurring policy across mixed-state fleets.

2. Remediation phase: The Install-CsSensor function maps crowdstrikeRegion to a base API URL, POSTs to /oauth2/token with the client_id and client_secret, and parses the access_token from the JSON response. It then issues a GET to /sensors/combined/installers/v1 with the query parameters offset=0, limit=1, sort=version|desc, and filter=platform:windows, sending the access token in the authorization header, to retrieve the SHA256 hash of the latest Windows installer. The installer is downloaded to the Worklet cache directory returned by Get-AutomoxCache and saved as CrowdStrikeWindowsSensor.exe. Start-Process launches the installer with the arguments /install /quiet /norestart CID=<cid-with-checksum>. Wait-Process holds for up to 300 seconds. Exit codes 0, 3010, and 1641 are accepted as success; anything else throws and the Worklet exits 89.

Falcon sensor deployment requirements

• Windows Server 2016, 2019, 2022, Windows 10, or Windows 11 endpoint enrolled in Automox

• CrowdStrike API client in the Falcon console with Sensor Download – Read permission

• Four Automox Shared Secrets configured with the exact key names: crowdstrikeRegion (US-1, US-2, EU-1, or US-GOV-1), crowdstrikeClientId, crowdstrikeClientSecret, crowdstrikeCID (the Customer ID including its checksum)

• Outbound HTTPS / TLS 1.2 reachability to the matching CrowdStrike regional API host (api.crowdstrike.com, api.us-2.crowdstrike.com, api.eu-1.crowdstrike.com, or api.laggar.gcw.crowdstrike.com)

• Automox WDK module present at ${ENV:ProgramFiles(x86)}\Automox\WDK\WDK.psm1 (installed by default on agents running schema_version 2.0.0 Worklets)

• SYSTEM-level execution on the target endpoint, which the Automox agent provides automatically

• At least 300 seconds of allowable runtime for the installer (the default ProcessWaitTimeout); large or low-spec endpoints may need this raised in the remediation script

Expected endpoint state after Falcon sensor deployment

After a successful remediation run, CrowdStrike Windows Sensor appears in the installed applications list returned by Get-Win32App, the CSFalconService Windows service is registered and set to Automatic start, and the csagent kernel driver is loaded. Validate from an elevated PowerShell session with Get-Service CSFalconService – the StartType should report Automatic and the Status should report Running. Confirm the agent ID and registration state by running CSSensorSettings.exe /a from $env:ProgramFiles\CrowdStrike, or, on older builds, by reading the csagent registry hive at HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Sim for the AG and CU values.

Exit code 0 from the Worklet means the installer returned cleanly and no reboot is required. Exit codes 3010 and 1641 also indicate a successful install but request a restart to complete sensor initialization; schedule the reboot on the next maintenance window. Exit code 89 means the installer threw – check the Worklet activity log for the inner exception, which is most often a 401 from /oauth2/token (bad client ID or secret), a 403 (missing Sensor Download – Read scope), or a network failure reaching the regional API host. The next scheduled evaluation will report the endpoint as compliant once the sensor is in place, and Automox will not re-install on subsequent runs. The endpoint then begins streaming telemetry to your Falcon tenant under the CID you registered.