Application Resilience policies for CrowdStrike Falcon
You can activate an Application Resilience policy for CrowdStrike Falcon® to collect information about the functional status of CrowdStrike Falcon installed on your Windows devices and view the results in reports. For version 6.x or higher, you can also configure the policy to reinstall the application.
The Report and repair option and the Report, repair, and reinstall option aren't supported on version 5.17.x.
System requirements
Application Resilience policies for CrowdStrike Falcon are supported on devices running:
- a supported version of the Windows operating system
-
PowerShell version 5.1 or higher for version 6.x or higher of CrowdStrike Falcon
Due to PowerShell restrictions imposed by Microsoft, Application Resilience is not supported for version 6.x or higher of this application on devices running Windows 11 SE.
-
one of the following versions of CrowdStrike Falcon:
-
6.x or higher
Significant software changes in higher versions may cause health checks to become invalid.
- 5.17.x
-
Health checks
Version 6.x or higher
In addition to checking the version, the following table describes the health checks performed:
If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.
| Component | Test performed | ||
|---|---|---|---|
| Services | Installed | Running | Signed by: |
| CrowdStrike Falcon Sensor Service (CSFalconService.exe) | P | P |
One of the signers entered in the policy configuration By default, Signers contains "CrowdStrike, Inc." and "Microsoft Windows Hardware Compatibility Publisher". |
| Application name | |||
|
The application uses the following name:
|
|||
Version 5.17.x
In addition to checking the version, the following table describes the health checks performed:
If you select Report higher versions as Compliant, higher versions report Compliant if all health checks, other than the version check, pass.
| Component | Test performed | ||
|---|---|---|---|
| Services | Installed | Running | Signed by |
| CrowdStrike Falcon Sensor Service (CSFalconService.exe) | P | P | n/a |
| Application name | |||
|
The application uses the following name:
|
|||
Reinstalling
The Report and repair option and the Report, repair, and reinstall option aren't supported on version 5.17.x. Report only is the only option supported.
For version 6.x or higher, you can configure an Application Resilience policy for CrowdStrike Falcon to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to reinstall CrowdStrike Falcon if it's not functioning or missing. In addition to configuring the Application Resilience policy, one of the following configurations is required in the CrowdStrike console:
- Both Uninstall and maintenance protection and Bulk maintenance mode are disabled
- Both Uninstall and maintenance protection and Bulk maintenance mode are enabled
The Report and repair option isn't supported for version 6.x or higher. Depending on the Absolute product licenses associated with your account, the Report, repair, and reinstall option may not be available.
The RAR component of the Secure Endpoint Agent can respond to the following issues:
| Issue | Resolution |
|---|---|
| Reinstall | |
|
Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken. |
|
| The CrowdStrike Falcon Sensor Service (CSFalconService.exe) isn't running, or isn't installed |
If the Crowdstrike console is correctly configured and the application is installed, the RAR component uninstalls it. Once the uninstall is complete or if the application wasn't installed, the RAR component downloads and installs the configured version of the application. Tamper Protection must be disabled in your CrowdStrike Falcon configuration for the RAR component to successfully reinstall CrowdStrike Falcon. |
| The expected version of CrowdStrike Falcon isn't installed | |
Preparing the installer
Version 6.x or higher
The installer:
-
must be an EXE file
-
can have any file name
Pre-caching installers
The RAR component looks for the following files names when checking pre-cached installers:
| Component | File name |
|---|---|
| Installers | WindowsSensor.exe |
Version 5.17.x
There is no installer required for CrowdStrike version 5.17.x as Report only is the only option supported.
Configuring Application Resilience policies
Version 6.x or higher
Before you activate an Application Resilience policy, you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.
To configure the application version:
- Under Application version, select 6.*+ from the drop-down.
-
Enter the version in Crowdstrike Falcon version.
- The target version must be a sequence of digits separated by a period.
- You can use wild card "*" characters after the major version, for example, 6.* or 6.13.*.
Make sure the version you are entering is consistent with version 6.x or higher.
If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.
To configure the CrowdStrike Falcon specific settings:
-
[Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:
- The application version is lower than the expected version.
- The application can't be repaired.
-
[Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration.
If your installation requires your customer identification (CID), enter it here in the following format:
CopyCID=F01E9DB8E9124A0595848A69FE57D96D-AC -
[Optional] Under Additional uninstallation commands, enter the applicable uninstallation command-line parameters to configure any settings not covered by the policy configuration.
If you CrowdStrike Falcon configuration requires the maintenance token to uninstall CrowdStrike Falcon, enter it here in the following format:
CopyMAINTENANCE_TOKEN=a0b98cd765432de123456
For more information about the available command-line parameters, see the CrowdStrike Falcon documentation.
Version 5.17.x
Before you activate an Application Resilience policy you need to configure the policy.
