Deploying the CrowdStrike Falcon Sensor using Group Policy (GPO) allows administrators to install the sensor across multiple Windows endpoints without manual intervention. This method is ideal for organizations using Active Directory (AD) to centrally manage devices.
This guide covers how to deploy the Falcon Sensor silently via GPO using a startup script.
Requirements
- Active Directory (AD) domain controller with Group Policy Management.
- CrowdStrike Falcon Sensor installer (
WindowsSensor.exe). - Customer ID (CID) from the CrowdStrike Falcon Console.
- Administrator privileges on the domain controller.
Step 1: Download the CrowdStrike Falcon Sensor
- Log into the CrowdStrike Falcon Console
- Open a browser and go to https://falcon.crowdstrike.com.
- Sign in with your admin credentials.
- Navigate to the Sensor Downloads Page
- Click Host Setup and Management > Sensor Downloads.
- Download the Windows Sensor
- Select the Windows version and download the
WindowsSensor.exefile.
- Select the Windows version and download the
- Place the Installer on a Network Share
- Copy
WindowsSensor.exeto a network share accessible by all computers. - Example:
\\YourDomainController\Software\WindowsSensor.exe
- Copy
📌 Note: Ensure the share has read and execute permissions for all domain-joined computers.
Step 2: Create a GPO for Falcon Sensor Deployment
- Open Group Policy Management
- Press Win + R, type
gpmc.msc, and press Enter.
- Press Win + R, type
- Create a New Group Policy Object (GPO)
- Right-click Group Policy Objects and select New.
- Name the GPO Deploy CrowdStrike Falcon.
- Edit the GPO
- Right-click the new GPO and select Edit.
- Navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
- Double-click Startup and click Add.
- Add the Startup Script
- Click Browse, navigate to
\\YourDomainController\Software, and create a new script file:- Filename:
InstallFalcon.bat - Contents of InstallFalcon.bat (Replace YOUR-CUSTOMER-ID with the actual CID from the Falcon Console.)
- Filename:
- Click Browse, navigate to
@echo off
msiexec /i \\YourDomainController\Software\WindowsSensor.exe /quiet /norestart CID=YOUR-CUSTOMER-ID
- Save and Close the Script Window
- Click OK to apply the startup script.
Step 3: Apply the GPO to Target Computers
- Link the GPO to the Appropriate Organizational Unit (OU)
- In Group Policy Management, right-click the OU containing the computers where Falcon should be installed.
- Click Link an Existing GPO, and select Deploy CrowdStrike Falcon.
- Force Group Policy Update on Clients
- Open Command Prompt as Administrator on a test workstation and run:
gpupdate /force- Restart the workstation to apply the policy.
Step 4: Verify Falcon Sensor Installation
After rebooting, check if the Falcon Sensor is installed and running.
Option 1: Check Installed Programs
- Open Control Panel > Programs and Features.
- Look for CrowdStrike Falcon Sensor in the list.
Option 2: Check Windows Services
Run the following command in Command Prompt:
sc query csagent
If installed correctly, you should see:
STATE: RUNNING
Option 3: Verify in Falcon Console
- Log into CrowdStrike Falcon Console (https://falcon.crowdstrike.com).
- Navigate to Hosts > Host Management.
- Search for the computer name and check if its status is Connected.
📌 Note: It may take 5-10 minutes for new installations to appear in the Falcon Console.
Troubleshooting Installation Issues
1. GPO Does Not Apply on Target Computers
- Ensure the computers are in the correct OU where the GPO is linked.
- Run
gpresult /ron a client machine to check if the policy is applied.
2. Falcon Sensor Fails to Install
- Ensure the installation file is accessible from the network share by testing:powershellCopyEdit
\\YourDomainController\Software\WindowsSensor.exe - Run the script manually on a test machine to check for errors.
3. Sensor Not Reporting to Falcon Console
- Check if the service is running:powershellCopyEdit
sc query csagent - Restart the machine and verify the Falcon sensor status.
Best Practices
✅ Test on a small group before deploying across all endpoints.
✅ Use Security Filtering to apply the GPO only to specific groups.
✅ Monitor sensor installation in the Falcon Console to ensure all machines are covered.