Intune App Packaging

Deploy CrowdStrike Falcon via Intune | Win32 Guide

Published 17 March 2026 · 7 min read

CrowdStrike Falcon is one of the most deployed EDR agents in managed Windows environments. The sensor installs silently using your Customer ID (CID) to automatically register with your Falcon console. The key things to get right are the CID in the install command, the provisioning token if your environment uses one, and handling the reboot requirement.

Contents
  1. Prerequisites
  2. Download the sensor installer
  3. Wrap with the Content Prep Tool
  4. Add the app in Intune
  5. Install and uninstall commands
  6. Detection rule
  7. Known gotchas

Prerequisites

Download the sensor installer

Log in to your Falcon console and work through to:

Host Setup and Management → Deploy → Sensor Downloads

Download the latest Windows Sensor EXE. The filename will be CrowdStrike_WindowsSensor_.exe. Always download fresh rather than reusing old installers - sensor versions matter for compatibility with your Falcon policies.

Wrap with the Content Prep Tool

IntuneWinAppUtil.exe -c "C:\AppSource\CrowdStrike" -s "CrowdStrike_WindowsSensor.exe" -o "C:\IntunePackages"

Add the app in Intune

Intune Admin Centre → Apps → Windows → + Add → Windows app (Win32)
  1. Upload the .intunewin file
  2. Name: CrowdStrike Falcon Sensor
  3. Publisher: CrowdStrike, Inc.

Install and uninstall commands

⚙️
Program settings
Replace YOUR_CID with your Customer ID from the Falcon console
Install commandAdd PROVISIONING_TOKEN=your-token if your org uses sensor provisioning tokens
CrowdStrike_WindowsSensor.exe /install /quiet /norestart CID=YOUR_CID
Uninstall commandMay require a maintenance token if tamper protection is enabled
CrowdStrike_WindowsSensor.exe /uninstall /quiet /norestart
Install behaviour
System
Device restart behaviourFalcon returns 3010 when a reboot is needed
Determine behaviour based on return codes
💡
Provisioning tokens
If your Falcon configuration enforces provisioning tokens (found under Sensor Downloads in the console), add PROVISIONING_TOKEN=your-token to the install command. Without it the sensor will install but may not register correctly in environments with token enforcement.

Detection rule

🔍
Registry detection rule
[]
Rule type
Registry
Key path
HKLM\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default
Detection method
Key exists

Simpler alternative - check for the service:

# Detect CrowdStrike Falcon Sensor
$svc = Get-Service -Name "CSFalconService" -ErrorAction SilentlyContinue
if ($svc) { Write-Output "Detected"; exit 0 } else { exit 1 }
💡
Test your detection rule first
Before deploying to users, install the app manually on a test device and verify the detection rule matches. Check the file path or registry key exists before assigning to a group.

Known gotchas

Reboot required

CrowdStrike Falcon installs a kernel driver and almost always requires a reboot. Plan your deployment window accordingly. Set the Intune restart behaviour to handle return code 3010 as a soft reboot.

Uninstall requires maintenance token

If your Falcon policy has sensor anti-tampering enabled, the standard uninstall command will fail. You need a maintenance token from the Falcon console (under Host Management for the specific device) to uninstall. This is intentional and a security feature - make note of this before deploying.

Frequently Asked Questions

Q: How do I deploy CrowdStrike Falcon silently via Intune?

Use: CrowdStrike_WindowsSensor.exe /install /quiet /norestart CID=your-customer-id. The CID (Customer ID) links the sensor to your Falcon console automatically on install.

Q: Where do I find my CrowdStrike Customer ID (CID)?

Log in to your Falcon console at falcon.crowdstrike.com, go to Host Setup and Management > Deploy > Sensor Downloads. Your CID is shown at the top of the page.

Q: How do I detect CrowdStrike Falcon in Intune?

Use a file detection rule: check for CSFalconService.exe in C:\Windows\System32\drivers. Alternatively check the Windows service: Get-Service CSFalconService.

Q: Does CrowdStrike Falcon require a reboot after Intune deployment?

Yes, CrowdStrike Falcon typically requires a reboot to complete installation and start the kernel driver. Set device restart behaviour to determine based on return codes, or schedule a reboot via a separate Intune configuration.

More App Packaging Guides
Deploy SentinelOne Agent via Intune Deploy Malwarebytes via Intune Deploy Wireshark via Intune
Installer typeEXE (proprietary)
CID requiredYes - from Falcon console Sensor Downloads
Silent installYes - /install /quiet /norestart
Reboot requiredYes - return code 3010
Tamper protectionUninstall needs maintenance token
// need intune set up properly?
Fixed-price Intune setup for UK businesses

I set up Intune for UK small businesses at a fixed price - app deployment, compliance policies, Conditional Access, and full documentation handed over at the end.

View Packages
#intune #app-packaging #win32