Windows - Software Lifecycle - Download and Install Crowdstrike Sensor

What the CrowdStrike sensor installer does

This Automox Worklet™ deploys the CrowdStrike Falcon sensor on Windows endpoints through direct API integration. The Worklet connects to the CrowdStrike API using OAuth2 credentials, queries for the latest Windows sensor installer available in your specified region, downloads the installer to the Automox cache, and executes a silent installation.

The Worklet supports all CrowdStrike regional deployments including US-1, US-2, EU-1, and US-GOV-1. It uses the Automox WDK module to detect whether the sensor is already present before attempting installation. The installation process includes the Customer ID (CID) parameter to associate the sensor with your Falcon tenant automatically.

The Worklet retrieves sensor metadata using the SHA256 hash identifier to validate the correct installer version. Installation occurs with standard silent parameters including /install, /quiet, and /norestart flags. The process waits up to 300 seconds for installation completion and validates exit codes to confirm successful deployment.

Why deploy CrowdStrike through Automox

Manual sensor deployment requires downloading installers, distributing them to endpoints, and tracking installation status across your infrastructure. This approach creates version inconsistencies when new sensor releases become available. Automating deployment through Automox eliminates manual distribution steps and provides centralized visibility into sensor installation status.

The API-driven approach guarantees you always deploy the latest sensor version available for your region. You avoid storing sensitive installers on network shares or managing local file distributions. The Worklet handles API authentication, version checking, and installation validation automatically.

Organizations with compliance requirements benefit from automated sensor deployment that maintains consistent endpoint protection. The Worklet provides audit trails through Automox reporting while CrowdStrike Falcon tracks sensor registration. You reduce the time between onboarding new endpoints and achieving full security coverage.

How CrowdStrike sensor deployment works

1. Evaluation phase: The Worklet imports the Automox WDK module and queries installed applications using Get-Win32App. It searches for the 'Crowdstrike Windows Sensor' by name. If the sensor is already installed, the endpoint is marked compliant and no further action occurs. If the sensor is not detected, the Worklet flags the endpoint for remediation.

2. Remediation phase: The Worklet sends an OAuth2 token request to the CrowdStrike API using your client ID and secret. After receiving an access token, it queries the /sensors/combined/installers/v1 endpoint filtered for Windows platform and sorted by version descending to retrieve the latest sensor's SHA256 hash. The Worklet downloads the installer to the Automox cache directory, then executes it with silent installation arguments including your Customer ID (CID). The process monitors installation for up to 300 seconds and validates the exit code (0, 3010, or 1641) to confirm successful deployment.

CrowdStrike sensor installation requirements

• Windows Server 2016 or later, Windows 10, or Windows 11 endpoints

• CrowdStrike API credentials with Sensor Download - Read permission configured in the Falcon console

• Four Automox Shared Secrets configured: crowdstrikeRegion (US-1, US-2, EU-1, or US-GOV-1), crowdstrikeClientId, crowdstrikeClientSecret, and crowdstrikeCID

• HTTPS connectivity to the CrowdStrike API endpoint for your region (TLS 1.2 required)

• Automox WDK module available at ${ENV:ProgramFiles(x86)}\Automox\WDK\WDK.psm1

• Administrator privileges on the target endpoint for sensor installation

Expected endpoint state after sensor deployment

After successful remediation, the CrowdStrike Windows Sensor appears in the installed applications list on the endpoint. The sensor registers with your CrowdStrike Falcon tenant using the Customer ID provided during installation. You can verify deployment by checking the Falcon console for the new sensor registration or by running Get-Win32App on the endpoint to confirm the sensor is present.

The sensor begins communicating with the CrowdStrike cloud platform and starts monitoring endpoint activity according to your Falcon prevention policies. Installation completes without requiring a restart when exit code 0 is returned. Exit codes 3010 or 1641 indicate a restart is recommended but installation succeeded. The Automox Worklet reports completion status, and subsequent evaluation runs show the endpoint as compliant.

How to validate download and install crowdstrike sensor changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for download and install crowdstrike sensor.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Secrets-Management, US-GOV, Install-CsSensor.

4. Validate remediation effects from script operations such as Secrets-Management, US-GOV, Install-CsSensor, then rerun evaluation for compliance.