CrowdStrike Intune Compliance Script

An Intune compliance script to detect if the CrowdStrike agent is running. For something that sounds like a straightforward and common problem, the solution turned out to be harder to find than expected. Google search was fruitless, and nuances in Intune compliance scripts and JSON tripped up the GPTs. So, I put this quick article together in the hope that it makes life a bit easier for the next person who runs into the same issue.

The detection script below simply checks for the Windows CrowdStrike service and verifies whether it’s running (service status 4 = running).

Detection Script

 1$service = Get-Service -Name "CSFalconService" -ErrorAction SilentlyContinue
 2
 3$result = @{
 4    CrowdStrikeSensorRunning = $false
 5}
 6
 7if ($service -and [int]$service.Status -eq 4) {
 8    $result.CrowdStrikeSensorRunning = $true
 9}
10
11$result | ConvertTo-Json -Compress

The compliance JSON uses the script’s output and translates it into a simple Intune compliance result: true if the device meets the check, false if it doesn’t.

Compliance JSON

 1{
 2  "Rules": [
 3    {
 4      "SettingName": "CrowdStrikeSensorRunning",
 5      "Operator": "IsEquals",
 6      "DataType": "Boolean",
 7      "Operand": true,
 8      "MoreInfoUrl": "https://www.crowdstrike.com/",
 9      "RemediationStrings": [
10        {
11          "Language": "en_US",
12          "Title": "CrowdStrike Falcon Sensor Not Running",
13          "Description": "This device is not running the CrowdStrike Falcon sensor. Please reinstall or start the CSFalconService to ensure endpoint protection is active."
14        }
15      ]
16    }
17  ]
18}

That’s it. Just follow the instructions for adding a custom compliance script in the Intune portal.

This script can be easily adapted to check any service you want in Intune. Simply change the service name (and other references if you’re particular like me) to the one you want to monitor.