Setup CrowdStrike on Windows

There are two ways to install the CrowdStrike EDR on Windows: manually via a graphical interface or automatically via the command line. If you want to deploy the EDR on a large scale using the automatic method, we recommend starting with a manual test installation on a few endpoints.

Executable and customer ID

• Download the executable from this link.

• Find your customer ID on the Endpoint page > Settings.

Manual method

Graphical method

• Run the executable on the endpoint

• Enter the customer ID in the Customer ID with Checksum field

• Click Install

Console

• Open a console on your endpoint

• Enter the following command: <file_name>.exe /install /quiet /norestart CID=customer_ID, replacing customer_ID with your customer ID

Special cases

• Adding tags: you can choose to add one or more tags to organize your installations (by site, country, entity, etc.). In this case, use the following command: <file_name>.exe /install /quiet /norestart CID=customer_ID GROUPING_TAGS="INSERT_TAGS_HERE". You can specify multiple tags by separating them with commas.

• Deploying the EDR on a temporarily offline machine. You must add the ProvNoWait=1 option. Note that the Crowdstrike EDR still requires an internet connection to function correctly, particularly to send detected alerts.

Automatic method

Via GPO

1. Place the executable in a directory accessible from all workstations

   1. Retrieve the Crowdstrike executable

   2. Place the file on a server accessible from all workstations, for example, the file server. Note the path, for example, \ServerName\SharedFolder\Crowdstrike<file_name>.exe

2. Create the installation script

   1. Create a new text file, for example with Notepad++, and save it as InstallCrowdStrike.bat

   2. Enter the commands to execute, as indicated in the Console section. Note: You must specify the entire path to the executable. For example, the command could be: \ServerName\SharedFolder\Crowdstrike<file_name>.exe /install /quiet /norestart CID=customer_ID, replacing customer_ID with your customer ID

3. Create a GPO to run the script

   1. Open the Group Policy Management Console (GPMC): Windows + R > gpmc.msc and press Enter

   2. Right-click the container where you want to apply the GPO

   3. Click Create a new group policy Objeco in this domain and link it here, and give it a name (for example, CrowdStrike Deployment)

   4. Add the script:

      1. Copy the script to the folder \\<server_name>\SysVol<domain_name>\Policies<GPO_GUID>\Machine\Scripts\Startup so that it is accessible to everyone

      2. Return to the Group Policy Management Console (GPMC), right-click the new GPO, and select Edit

      3. Go to Computer configuration > Policies > Windows settings > Scripts (Startup/Shutdown)

      4. Double-click Startup, and then click Add

      5. In the window that opens, click Browse, and then select the previously written InstallCrowdStrike.bat script.

4. Apply the GPO

   1. Ensure that the GPO is correctly linked to the appropriate container

   2. Use gpupdate /force on a domain controller to force the policy update

   3. Verify the application:

      1. Restart a target machine to trigger the script

      2. Run the command gpresult /h gpresults.html and verify that your new GPO is present on the machine

      3. Verify that CrowdStrike is installed and operational on this machine

In case of problems: consult the startup script log file on the client machines: C:\Windows\Debug\StartupLog.txt

Via MDM (Intune or NinjaOne)

For Intune:

1. Download the necessary components

   1. Download Win32 Content Prep Tool

   2. Download the CrowdStrike executable from this link

2. Open the Win32 Content Prep Tool

   1. Add the .exe file

   2. Enter the following command: file_name.exe /install /quiet /norestart CID=customer_ID. (This is the startup script previously written.) Replace file_name.exe with the actual filename and customer_ID with your CrowdStrike CID.

3. Download the generated file named .intunewin

4. Deploy

   1. Log in to Intune Admin Center (intune.microsoft.com)

   2. Import the .intunewin file

   3. Assign it to your computer groups

   4. The installation will be performed automatically on the target machines.

For NinjaOne:

• Here is the link to a procedure for integrating CrowdStrike with NinjaOne: CrowdStrike with NinjaOne Procedure

Opening network traffic

If network traffic is blocked (for example, on an isolated local network), the following IP addresses and domain names must be allowed for outbound traffic:

• 3.121.6.180

• 3.121.187.176

• 3.121.238.86

• 3.125.15.130

• 18.158.187.80

• 18.198.53.88

• 3.78.32.129

• 3.121.13.180

• 3.123.240.202

• 18.184.114.155

• 18.194.8.224

• 35.156.219.65

• 3.69.184.79

• 3.76.143.53

• 3.77.82.22

IPv6 addresses to allow:

• 2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and 2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)

• 2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and 2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)

• 2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and 2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)

Domains to allow:

• ts01-lanner-lion.cloudsink.net

• lfoup01-lanner-lion.cloudsink.net

• lfodown01-lanner-lion.cloudsink.net

Debugging

If you want to verify the EDR installation on a machine, you can run the following commands: sc query csagent and sc query csfalconservice.