MDR
      Back to home
      1. Knowledge base
      2. Stoïk Protect
      3. MDR

      How to deploy the CrowdStrike EDR

      Manual step by step tutorial to deploy the EDR CrowdStrike

      Executable

      Download the Windows executable from Stoïk Protect or via this link.

      Customer ID

      Your Customer ID is necessary for the deployment of the EDR. This information is available on Stoïk Protect, tab Endpoints then Settings , in the Informationsection.

      Automatic deployment

      If you have SCCM or Intune, simply deploy the downloaded executable directly on all workstations and servers. You can also use a GPO (see below for a guide to creating a GPO).

      For automatic deployment, use the following command, replacing code_client with your Customer ID:
      <name of crowdstrike file>.exe /install /quiet /norestart CID=Customer ID

      If necessary, you can also specify a tag associated with the agent during installation. This can be particularly useful for differentiating installations by site or geographical location:

      <name of crowdstrike file>.exe /install /quiet /norestart CID=Customer ID GROUPING_TAGS="INSERT_HERE_TAGS" 

      You can specify multiple tags, separated by commas.

      Manual deployment

      1. Run the executable
      2. Insert your Customer ID in the case Customer ID with Checksum
      3. Click on Install


      Uninstall of your antivirus

      CrowdStrike replaces your current antivirus solution, so it is necessary to uninstall it.

      Please note: Don't disable your firewall if it's a different solution. However, if your firewall is managed by the same solution and you've created custom rules, please transfer them to the Windows firewall.

      Appendix - Creating an automated deployment GPO

      To perform a GPO deployment, you can perform the following steps: 

      • Download the Windows executable from Stoïk Protect or via this link.
      • Place this file in a network share accessible to all computers in the domain.
        Example path: \\Server\Share\WindowsSensor.exe.
        Make sure the share has Read permissions for the computer groups concerned.
      • Create a PowerShell or batch script file that executes the install command.
        For example, a batch script (InstallCrowdStrike.bat) :
        @echo off
        \\Server\Share\WindowsSensor.exe /install /quiet /norestart CID=Customer ID
        If necessary, you can also specify a tag associated with the agent during installation. This is particularly useful for differentiating installations by site or geographical location
        @echo off
        \\Server\Share\WindowsSensor.exe /install /quiet /norestart CID=Customer ID GROUPING_TAGS="INSERT_TAGS_HERE"
        ➡️ Replace \\Server\Share\WindowsSensor.exe with the actual path, and code_client with your customer ID.
      • Test the script on a machine manually to check that it installs CrowdStrike correctly, by verifying the presence of this machine on your Stoïk Protect MDR space.
      • Open the Group Policy Management console (GPMC):
        • Press Win + R, type gpmc.msc and press Enter.
      • Create a new GPO :
        • Right-click on the container where you want to apply the GPO (e.g. the domain or a specific OU).
        • Click on Create a Group Policy object in this domain and link it here, and give it a name (e.g. CrowdStrike Deployment).
      • Configure the starting script
        • Right-click on the new GPO and select Modify.
        • Go to Computer configuration > Policies > Windows settings > Scripts (Start/Stop).
        • Double-click on Startup, then click on Add.
        • In the window that opens, click on Browse, then select the InstallCrowdStrike.bat script.
          Note: Copy the script into the folder \\<server_name>\SysVol\<domain_name>\Policies<GUID_of_the_GPO>\Machine\Scripts\Startup so that it is accessible to all.
      • Apply the GPO
        • Make sure the GPO is linked to the right container (domain or OU containing the target machines).
        • Use gpupdate /force on a domain controller to force policy updates.
      • Verify the installation:
        • Restart a target machine to trigger the script.
        • Check that CrowdStrike is installed and running on this machine.
      • In case of problems: consult the startup script log file on client machines:
        C:\Windows\Debug\StartupLog.txt. Make sure that :
        • The share path is correct and accessible.
        • NTFS and network share permissions allow reading for target machines.

      Apendix - Opening network flows

      In the event of a network block, the following flows must be opened on the firewall at port 443:

      IPv4 

      3.121.6.180
      3.121.187.176
      3.121.238.86
      3.125.15.130
      18.158.187.80
      18.198.53.88
      3.78.32.129
      3.121.13.180
      3.123.240.202
      18.184.114.155
      18.194.8.224
      35.156.219.65
      3.69.184.79
      3.76.143.53
      3.77.82.22
      IPv6
      2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and
                  2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)
      2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and
      2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)
      2a05:d014:45e:4e00::/56 (allow all addresses between 2a05:d014:45e:4e00:0000:0000:0000:0000 and
      2a05:d014:45e:4eff:ffff:ffff:ffff:ffff)
      Domains
      ts01-lanner-lion.cloudsink.net
      lfoup01-lanner-lion.cloudsink.net
      lfodown01-lanner-lion.cloudsink.net

       

      Please contact us at protect@stoik.io if you encounter any difficulties.