Deploying Crowdstrike Falcon - Windows 10

prc389 · January 24, 2023, 1:05am

Hello All!

Hope you are well.

We’ve been using BigFix to deploy Crowdstrike Falcon to our endpoints for a few years now.

It has come to my attention that the our Falcon Fixlet has been failing in one of the newer versions. We’ve since reverted back to the working one. The fixlet is the same, but I am not sure why it not working with a new version of the WindowsSenor.exe.

Here is an edited snippet of the fixlet that does work. The only thing that has changed is the .exe. Any ideas? Thank you.

parameter “baseFolder” = “__Download/”
“__Download/hash-here” “{parameter “baseFolder”}WindowsSensor.exe”
waithidden “__Download\WindowsSensor.exe” /install /quiet /norestart CID=XXX GROUPING_TAGS=“XXX”

D.Dean · January 24, 2023, 3:30pm

Check the SHA values and size of the file and make sure the fixlet is updated with those values.

If you take action, you can go back to the action and see if the file cached on the server. It will show if the SHA values were the failure on the action summary screen.

In this case, it was successful.

prc389 · January 24, 2023, 3:47pm

Hi D.Dean! Thanks for the reply.
I just confirmed that the sha values are the same and that it is complete like yours. Any other ideas?

prc389 · January 24, 2023, 3:52pm

D.Dean · January 24, 2023, 4:22pm

Two thoughts

run a delete command to make sure the file does not already exist in the install location “__Download\windowssensor.exe”

Instead of move, copy the file, sometimes permissions will cause an issue.

SLB · January 24, 2023, 4:28pm

Just a thought, could you not do away with the move/copy requirement by changing the name= in the add prefetch item so its name=WindowsSensor.exe Then the client should manage the contents of the __Download folder and the filename will be correct and not need move/copying.

Wondering if the client logs would help here to see what the error code was on the line that failed

prc389 · January 24, 2023, 4:31pm

I will try this and report back. Thanks for the suggestion!

prc389 · January 24, 2023, 4:41pm

Thanks for this suggestion as well, SLB. I will also try this and report back.

trn · January 24, 2023, 5:00pm

You can get the Crowdstrike installer to write quite a detailed log - /log <c:\some\folder\logfile.log>

There is also an uninstall tool

Also, Crowdstrike can be upgraded/managed from its own console - and that includes adding password and other forms of service protection - are you sure none of those are in place, because they will also break any attempt at upgrade?

prc389 · January 24, 2023, 6:31pm

Copy did not fix the failure. It did come back with the same error even before changing from move.

Command failed (Thread execution failed (87))

prc389 · January 24, 2023, 6:31pm

Hi, SLB.
This is the error I am seeing in the logs - Command failed (Thread execution failed (87))

Any suggestions ?

JasonWalker · January 24, 2023, 6:40pm

I see a couple of things that could be issues in that command line.
Does the “CID” parameter contain curly-brackers { } ? It’s hard to tell from the screenshot.

Try forcing it to run in 64-bit mode by disabling wow64 redirection.

The other thing is that the GROUPING_TAGS parameter has doublequotes in it. I’ve seen some complex behavior around ‘wait’/‘waithidden’ command lines that have their own embedded quoting. I usually workaround that by rewriting the command to use cmd.exe’s special handling of quoting characters. Try replacing the waithidden command line as

action uses wow64 redirection {not x64 of operating system}

waithidden cmd.exe /c ""__Download\WindowsSensor.exe" /install /quiet /norestart CID=something GROUPING_TAGS="something""

cmd.exe strips off the outer doublequotes and then treats everything inside the doublequotes as a literal command line.

prc389 · January 24, 2023, 7:00pm

Thank you, Jason. I will try this out and reply back!
The CID does not have curly-brackets.

D.Dean · January 24, 2023, 7:02pm

can you change the CID and other identifiers and paste the entire command with the fake CID and such?

prc389 · January 24, 2023, 7:10pm

Jason, thank you so much. This worked and the fixlet is now completing with success!

Thank you to all who have replied with help as well! It is much appreciated.
First round’s on me!

efranco · October 24, 2023, 5:58pm

Jason buenos días,

muchas gracias por tus comentarios, yo estoy realizando de igual forma la instalacion de crowdstrike, la tarea se completa, sin embargo no aparece en los programas instalados,

¿Alguna recomendación?

JasonWalker · October 24, 2023, 6:29pm

No he instalado CrowdStrike yo mismo. Necesitaríamos más detalles, como el ActionScript que estás utilizando y si la línea de comandos del instalador funciona cuando la pruebas fuera de BigFix.

efranco · October 24, 2023, 10:37pm

muchas gracias,

te comparto las líneas del script

JasonWalker · October 24, 2023, 10:43pm

Una vez más, no tengo CrowdStrike, pero según entiendo, es necesario proporcionar los valores CID y GROUPING_TAGS, y estos deben ser válidos para su entorno específico.

Comience con un comando de instalación que funcione fuera de BigFix.

Consulte este enlace para otras sugerencias también. Tip: Troubleshooting ActionScript Command Lines (Windows)

efranco · October 25, 2023, 6:51pm

hola buen dia,

muchas gracias jason por todos tus comentarios,me fueron de mucha ayuda, logre instalarlo con este script