X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to configure Manual Updates

Blue

Preface

Organizations have different policies regarding endpoint software updates. Falcon Agent Updates are configurable via the Sensor Update Policies. Within the update policies you can specify if the Agent should be updated automatically (most common), to a specific version, or disable updates altogether in favor of software deployment tools for updating.

For more information related to applying and understanding Sensor Update Policies see: https://www.crowdstrike.com/blog/tech-center/update-falcon-sensor/

Configuring Manual Updates

For customers opting to use software deployment tools for updating the sensor, policy options are available to disable cloud updates. From within the Sensor Update Policy, set the version dropdown to “Sensor version updates off”, with this set updates will be pushed to endpoints with the given policy applied.

Configuring Manual Updates Policy

Disabling Sensor updates can be controlled from the Sensor Update Policies.

Manual Updates with Uninstall Protection

Uninstall Protection acts as a safeguard to protect the Falcon Agent install. To perform manual updates with Uninstall Protection, the policy must be configured appropriately. The appropriate Sensor Update Policy enables the use of a single, policy-derived maintenance token for the group of endpoints being updated. This policy-derived maintenance token is used to maintain integrity and allow the update to proceed.

Note: Without the properly configured manual update policy, each device will require a one-time, device-specific token to perform the update.

To create a proper manual update policy navigate to the Sensor Update Policy, and set the version to “Sensor version updates off” then enable the option for “Bulk maintenance mode”.

 

When performing bulk updates of the Falcon Agent, click the “REVEAL TOKEN” button to obtain the maintenance token. This token can then be used by your software deployment tools which update the Falcon Agent.

Example Installation Commands

Below are some example install commands that can be used in combination with your software deployment tools. For a full listing of commands and scenarios, see the Deployment guide for Windows and Mac OS, these guides also cover Virtual Desktop Infrastructure (VDI) considerations in greater detail.
https://falcon.crowdstrike.com/support/documentation/23/falcon-sensor-for-windows-deployment-guide
https://falcon.crowdstrike.com/support/documentation/22/falcon-sensor-for-mac-deployment-guide

Windows

# Update the Falcon Agent
WindowsSensor.exe /install /quiet /norestart CID=YOUR_CID MAINTENANCE_TOKEN=YOUR_REVEALED_TOKEN

# Verify Installation Status
sc query csagent

# Uninstall the Falcon Agent
CsUninstallTool.exe /quiet MAINTENANCE_TOKEN=YOUR_REVEALED_TOKEN

Mac OS

# Update the Falcon Agent
sudo installer -pkg FalconSensorMacOS.pkg -target / --maintenance-token YOUR_REVEALED_TOKEN

# Apply Customer ID
sudo /Library/CS/falconctl license YOUR_CID

# Verify Installation Status
sysctl cs

# Uninstall the Falcon Agent
### falcon_uninstall.py
#!/usr/bin/env python
from __future__ import print_function
token = "YOUR_TOKEN"
try:
while True:
print(token)
except IOError:
pass

./falcon_uninstall.py | sudo /Library/CS/falconctl uninstall --maintenance-token
./falcon_maintenance_token.py | sudo /Library/CS/falconctl unload --maintenance-token
sudo installer -verboseR -package <installer .pkg> -target /

Conclusion

If you’re a customer or potential customer who’s internal process dictates that manual updates are required, you should now have a clearer understanding of how CrowdStrike’s manual updates configuration.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial