# Crowdstrike Running Job

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FzsTwidiQ4pg6PdkE2QUR%2FCrowdStrike%20Running%20Job%20Guide.png?alt=media&#x26;token=f95d0d45-dc05-4b0c-97ae-780acfc160b0" alt=""><figcaption></figcaption></figure>

This guide shows a **job** that checks whether the CrowdStrike Falcon sensor service (**CSFalconService**) is running and, if not, starts it. The job is deployed to endpoints using a **JobUpdate** policy. Same pattern as the [Windows Defender Running Job Guide](/en/keeperpam/endpoint-privilege-manager/user-guides/windows-defender-running-job-guide.md).

**Audience:** IT admins deploying Keeper Privilege Manager on Windows with CrowdStrike Falcon sensor.

***

### What the Job Does <a href="#what-the-job-does" id="what-the-job-does"></a>

* **Checks** the status of the **CSFalconService** service (CrowdStrike Falcon Sensor).
* **If the service is stopped,** starts it with `Start-Service -Name CSFalconService`.
* **If the service is already running,** does nothing and exits successfully.
* **Runs** on a **schedule** (default: every 60 minutes) and on **Startup**, so the Falcon sensor is periodically verified and restored if it was stopped.

The job uses a single PowerShell task in the **Service** context. The agent typically runs as LOCAL SYSTEM, which can start the CrowdStrike service.

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

* Keeper Privilege Manager agent installed and running on **Windows**.
* **CrowdStrike Falcon sensor** installed (so the CSFalconService exists).
* PowerShell at `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`.
* Ability to create **JobUpdate** policies and run **Process Configuration Policies** (e.g. from Keeper Admin Console).

## Job Definition (full JSON) <a href="#job-definition-full-json" id="job-definition-full-json"></a>

Use this job JSON in a JobUpdate policy (**Extension.JobJson**) or save as `Jobs/ensure-crowdstrike-running.json` for file-based deployment.

```
{
  "id": "ensure-crowdstrike-running",
  "name": "Ensure CrowdStrike Falcon is running",
  "description": "Checks if the CrowdStrike Falcon sensor service (CSFalconService) is running; if not, starts it. Deploy via JobUpdate policy. Runs on schedule (default every 60 min) and on Startup.",
  "enabled": true,
  "asUser": false,
  "priority": 5,
  "schedule": {
    "intervalMinutes": 60
  },
  "events": [
    { "eventType": "Startup" }
  ],
  "parameters": [],
  "tasks": [
    {
      "id": "check-and-start-crowdstrike",
      "name": "Check CrowdStrike Falcon service and start if stopped",
      "ExecutionType": "Service",
      "command": "powershell.exe",
      "executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name CSFalconService -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name CSFalconService -ErrorAction Stop }; exit 0 }\"",
      "expectedExitCode": 0,
      "timeoutSeconds": 30,
      "continueOnFailure": false
    }
  ],
  "mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] },
  "osFilter": { "windows": true, "linux": false, "macOS": false }
}
```

### Deploy the Job via JobUpdate Policy <a href="#deploy-the-job-via-jobupdate-policy" id="deploy-the-job-via-jobupdate-policy"></a>

1. **Create a JobUpdate policy** in your policy store or Keeper Admin Console with:
   * **PolicyType:** `JobUpdate`
   * **Status:** `enabled`
   * **Extension:**
     * **JobId:** `ensure-crowdstrike-running`
     * **Action:** `Add`
     * **JobJson:** The full job object above (single line or formatted).
2. **Example policy structure:**

   ```
   {
     "PolicyId": "deploy-ensure-crowdstrike-running",
     "PolicyName": "Deploy job: Ensure CrowdStrike Falcon is running",
     "PolicyType": "JobUpdate",
     "Status": "enabled",
     "Extension": {
       "JobId": "ensure-crowdstrike-running",
       "Action": "Add",
       "JobJson": {
         "id": "ensure-crowdstrike-running",
         "name": "Ensure CrowdStrike Falcon is running",
         "description": "Checks if the CrowdStrike Falcon sensor service (CSFalconService) is running; if not, starts it.",
         "enabled": true,
         "asUser": false,
         "priority": 5,
         "schedule": { "intervalMinutes": 60 },
         "events": [{ "eventType": "Startup" }],
         "parameters": [],
         "tasks": [
           {
             "id": "check-and-start-crowdstrike",
             "name": "Check CrowdStrike Falcon service and start if stopped",
             "ExecutionType": "Service",
             "command": "powershell.exe",
             "executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
             "arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name CSFalconService -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name CSFalconService -ErrorAction Stop }; exit 0 }\"",
             "expectedExitCode": 0,
             "timeoutSeconds": 30,
             "continueOnFailure": false
           }
         ],
         "mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] },
         "osFilter": { "windows": true, "linux": false, "macOS": false }
       }
     }
   }
   ```
3. **Assign the policy** to the desired Windows collections or machines (where Falcon sensor is installed).
4. **Run Process Configuration Policies** on the agents so they receive the job:
   * Rely on the normal schedule (e.g. after policy sync), or
   * Trigger manually: `POST https://127.0.0.1:6889/api/Jobs/process-configuration-policies/run` (Admin auth).
5. **Confirm the job is present:**\
   `GET https://127.0.0.1:6889/api/Jobs` — you should see `ensure-crowdstrike-running`.

***

### When the Job Runs <a href="#when-the-job-runs" id="when-the-job-runs"></a>

* **Startup** — Runs once when the agent (or machine) starts.
* **Every 60 minutes** — Per `schedule.intervalMinutes`. Change `intervalMinutes` in the job JSON if you want a different interval.

No manual trigger is required unless you want to run it once on demand (e.g. `POST .../api/Jobs/ensure-crowdstrike-running/run`).

### Verification <a href="#verification" id="verification"></a>

* **Service status (PowerShell):**

  ```
  Get-Service -Name CSFalconService
  ```

  Status should be **Running** after the job has run (or after starting it manually for testing).
* **Agent logs:** Check for task `check-and-start-crowdstrike` and any PowerShell or service errors.
* **Run job once (optional):**

  ```
  Invoke-RestMethod -Method Post -Uri "https://127.0.0.1:6889/api/Jobs/ensure-crowdstrike-running/run" -SkipCertificateCheck
  ```

### Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="206">Issue</th><th>What to check</th></tr></thead><tbody><tr><td>Job not on endpoint</td><td>JobUpdate policy assigned; Process Configuration Policies has run; <code>GET /api/Jobs</code> shows the job.</td></tr><tr><td>Exit code 1</td><td>CSFalconService may not exist (Falcon sensor not installed or different product); check <code>Get-Service CSFalconService</code> on the machine.</td></tr><tr><td>Access denied starting service</td><td>Agent must run as an account that can start services (e.g. LOCAL SYSTEM).</td></tr><tr><td>Start-Service fails (e.g. "Disabled" state)</td><td>The service must be set to <strong>Automatic</strong> or <strong>Manual</strong>; if it is <strong>Disabled</strong>, Start-Service will fail. Use <code>Set-Service -Name CSFalconService -StartupType Automatic</code> (in an elevated prompt) or services.msc.</td></tr><tr><td>Different interval</td><td>Edit <strong>JobJson</strong> in the policy: change <code>schedule.intervalMinutes</code> (e.g. 30), then run Process Configuration Policies again (or use JobUpdate Action <strong>Update</strong> with the full revised job).</td></tr></tbody></table>

### Reference <a href="#reference" id="reference"></a>

* **Job id:** `ensure-crowdstrike-running`
* **Job file (if not using policy):** `Jobs/ensure-crowdstrike-running.json`
* **Service name:** `CSFalconService` (CrowdStrike Falcon Sensor)
* **Platform:** Windows only.

For the same pattern applied to Windows Defender, see [Windows Defender Running Job Guide](/en/keeperpam/endpoint-privilege-manager/user-guides/windows-defender-running-job-guide.md). For general job and policy details, see the Getting Started docs (Jobs definition and format, Create/Modify/Delete job).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/user-guides/crowdstrike-running-job-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.