This message was deleted.

Starting to deploy it shortly

We have been for a number of years, though we since switched from PVS to MCS workloads, the overall process is the same. It needs installing with the switches VDI=1 NO_START=1 when in a VDI environment. There are some other guidelines that need to be followed also. They had a good video here - but its not accessible anymore. TLDR, if possible have Falcon be the last thing installed on the master. DO NOT reboot it once installed. If not possible, and the master needs unsealing, or the build process reboots the master, then you have to delete these keys before reseal HKLM\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default\AG HKLM\SYSTEM\CurrentControlSet\Services\CSAgent\Sim\AG deleting those keys may not be possible if the polices against registry modifications are applied to the master machines. Will need a policy with less restrictive settings tied to the masters. It will also flag your cyber dept when those keys are deleted, so will need to give them a heads up... Addendum - if you use applayer to make the master images, you can have crowdstrike in its own layer. Create a version 0 of the layer, and set it to bypass layerchecking so that it does not fail at reseal. Then build from that version 0 layer each time you create a new crowdstrike version.

This is great info and makes me want to not use CS even more.

lol. We came from having to run Mcafee, so as far as we were concerned it was a win. But its not without issues.

Thank you so much @Paul Brown. This is great info. That video is here: https://web.archive.org/web/20211101161019/https://crowdstrike.wistia.com/medias/he1qicxcft

We run it on all of our MCS workloads. FWIW, we have a Falcon sensor policy that is scoped to our master image/update hostnames, we uninstall the Falcon sensor during the seal and install with the following in our reseal

Echo #######################
Echo  Uninstall CrowdStrike
Echo #######################
Echo.
"\\UNCPATH\to\CsUninstallTool.exe" /quiet

Echo Please wait 30 seconds for CrowdStirke to Uninstall!
Timeout /t 30 /nobreak

Echo.
Echo #######################
Echo Reinstall CrowdStrike
Echo #######################

Echo.

"\\UNCPATH\to\WindowsSensor.MaverickGyr.exe" /install /quiet /norestart CID=%KEY% VDI=1

we run CrowdStrike on vdisk, VDI and laptops. Haven’t got any real issues with that - it blocked a couple of LOB apps but for a reason - scripts compiled to exe, download then execute, and it was in the user notifications and in the Falcon logs. Other than that - no issues. Especially comparing to McAffee - that was plain f*** horror show. Some other issues with Crowd Strike - uninstalling process is not user friendly. Sometimes during the install - agent fails to register with the console and build fails. So you have to check error codes, don’t assume if you you were running crowdstrike installer means that it is installed and operational. Also by default drops off if not connected to the console for 45 days, which makes some endpoint non compliant as AV not talking to the console.