When deploying CrowdStrike Falcon via VM cloning, golden images, or master templates, you must properly prepare the master image to prevent duplicate Agent IDs. This guide walks through creating a Linux master image for CrowdStrike Falcon.
The Problem: Duplicate Agent IDs
Each Falcon sensor has a unique Agent ID (AID). If you clone a host with an existing AID:
- All clones share the same AID
- CrowdStrike treats them as one device
- Events from multiple hosts appear under one entry
- Host counts are inaccurate
- Incident response becomes impossible
Solution: Remove the AID before creating the master image. New AIDs are assigned automatically when clones first connect.
Step-by-Step: Creating a Master Image
Step 1: Prepare Your Base Image
-
- Set up your Linux VM with the desired OS configuration
- Install all required software and updates
- Configure system settings as needed
Step 2: Download and Install the Falcon Sensor
-
- **Download the sensor** from **Host Setup and Management** > **Sensor Downloads** in the Falcon Console
- **Copy your Customer ID (CID)** from the Sensor Downloads page
- **Install the sensor package:**
Ubuntu/Debian
sudo dpkg -i falcon-sensor__amd64.deb RHEL/CentOS/Amazon Linux
sudo yum install falcon-sensor-.rpm SUSE/SLES
sudo zypper install falcon-sensor-.rpm Step 3: Configure the Sensor
Without installation tokens
sudo /opt/CrowdStrike/falconctl -s --cid=With installation tokens enabled
sudo /opt/CrowdStrike/falconctl -s --cid= --provisioning-token= Step 4: Verify the Installation
Confirm an Agent ID was generated:
sudo /opt/CrowdStrike/falconctl -g --aidYou should see an AID value returned.
Step 5: Start the Sensor
Systemd
sudo systemctl start falcon-sensorSysVinit
sudo service falcon-sensor startAllow the sensor to run briefly to verify it connects to CrowdStrike cloud successfully.
Step 6: Remove the Agent ID
This is the critical step - remove the AID before sealing the image:
sudo /opt/CrowdStrike/falconctl -d -f --aidStep 7: Re-set Provisioning Token (If Required)
If your CID requires installation tokens, set the provisioning token so clones can register:
sudo /opt/CrowdStrike/falconctl -sf --provisioning-token=Step 8: Seal the Master Image
-
- **Shut down** the VM cleanly
- **Create your template** or snapshot
- **Mark as read-only** if your hypervisor supports it
What Happens When Clones Boot
When a cloned VM or device boots:
-
- The Falcon sensor starts automatically
- It detects no Agent ID is present
- The sensor contacts the CrowdStrike cloud
- A unique AID is generated and assigned
- The new host appears in the Falcon Console
This process is automatic and requires no manual intervention on the cloned hosts.
Automating Master Image Updates
Keep your master image current with automation:
- Sensor Download APIs: Automatically retrieve the latest sensor version
- CI/CD Integration: Build new images when sensor updates are released
- Scheduled Rebuilds: Recreate master images monthly
Example workflow:
-
- API detects new sensor version
- Automation spins up base image
- Installs new sensor and configures CID
- Removes AID
- Seals new master image
- Old image is archived
Troubleshooting
Clones showing same hostname in Console
This is a hostname issue, not an AID issue. Configure your cloning process to set unique hostnames, or use cloud-init/sysprep equivalent.
Clones not appearing in Console
Check that:
- The provisioning token is set (if required)
- Network connectivity to CrowdStrike cloud exists
- The sensor service is running
Events from multiple hosts under one entry
This indicates clones have duplicate AIDs. You must remove the AID from the master image and redeploy affected clones.