What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

Deploy the CrowdStrike Falcon Sensor on Windows & Linux with falconctl

A hands-on walkthrough for deploying the Falcon sensor on Windows and Linux endpoints, registering it to your CID with falconctl, starting the service and verifying that protection is fully active.

SKYLINE Engineering @skyline

Published: May 31, 2026
Last updated: May 31, 2026
Reading time: 4 min

The CrowdStrike Falcon sensor is a single lightweight agent that streams telemetry to the cloud-managed Falcon console. This knowledge base article walks through deploying and registering the sensor on Windows and Linux, then verifying that it is healthy and fully protecting the host. All commands below are the documented, real syntax — replace placeholder values (CID, tokens, filenames) with the values from your own Falcon console.

Before you start

You will need:

Your Customer ID (CID), copied from the Falcon console under Host setup and management > Sensor downloads. The CID includes a checksum suffix after a dash (for example ABCD...WXYZ-7A) — copy it exactly.
The correct sensor installer for the target OS and architecture, downloaded from the same console page.
(Optional) an installation / provisioning token if your tenant enforces one.
Local administrator (Windows) or root/sudo (Linux) on the endpoint.

1. Install on Windows

The Windows sensor ships as WindowsSensor.exe (or a versioned name). For an interactive install you can double-click it, but for fleet deployment use the silent command line. Open an elevated Command Prompt or PowerShell and run:

WindowsSensor.exe /install /quiet /norestart CID=<your-CID>

Parameter meanings:

/install — perform an installation.
/quiet — run silently with no user interaction.
/norestart — do not reboot automatically (no reboot is required for the sensor itself).
CID=<your-CID> — registers the host to your tenant.

If your tenant enforces a provisioning token, append it (real MSI properties): ProvToken=<token>, and optionally ProvNoWait=1 so the installer does not block waiting on the token. This silent command is what you wrap into Microsoft Intune, Group Policy (GPO), SCCM/ConfigMgr or an RMM package for mass deployment.

2. Install on Linux

Linux deployment is two steps: install the package, then register it with falconctl. Use the package manager that matches your distribution.

RHEL / Rocky / Alma / Amazon Linux (RPM):

sudo dnf install ./falcon-sensor.rpm
# or on older systems:
sudo yum install ./falcon-sensor.rpm
# or directly with rpm:
sudo rpm -ivh falcon-sensor.rpm

Ubuntu / Debian (DEB):

sudo dpkg -i falcon-sensor.deb

Register the sensor with your CID

Installing the package does not connect the sensor — you must set your CID. The falconctl utility lives at /opt/CrowdStrike/falconctl. Run:

sudo /opt/CrowdStrike/falconctl -s -f --cid=<your-CID>

Flag meanings:

-s — set a configuration value.
--cid=<your-CID> — the value being set is your Customer ID.
-f — force; write the value without an interactive confirmation prompt. This is useful in scripted/first-time setup and when overwriting an existing value.

If your tenant uses a provisioning token, set it in the same call:

sudo /opt/CrowdStrike/falconctl -s -f --cid=<your-CID> --provisioning-token=<token>

If the host reaches the internet through a proxy, configure it:

sudo /opt/CrowdStrike/falconctl -s -f --aph=<proxy-host> --app=<proxy-port>

To apply grouping tags so the host lands in the right host group/policy:

sudo /opt/CrowdStrike/falconctl -s -f --tags="KSA,Servers,Production"

Start the service

sudo systemctl start falcon-sensor
sudo systemctl enable falcon-sensor   # start at boot

On older SysVinit hosts, use sudo service falcon-sensor start instead.

3. Verify the sensor is healthy

Confirm the sensor is registered and running. Check the CID and the auto-assigned Agent ID (AID):

sudo /opt/CrowdStrike/falconctl -g --cid
sudo /opt/CrowdStrike/falconctl -g --aid

A populated AID means the sensor has successfully checked in to the cloud. Confirm the process is alive:

ps -e | grep falcon-sensor

Now check whether the sensor is in Reduced Functionality Mode (RFM). RFM is a safe mode the Linux sensor enters when the host kernel is not yet supported — in RFM it keeps sending heartbeats but does NOT generate detections, so it is effectively not protecting you:

sudo /opt/CrowdStrike/falconctl -g --rfm-state

If RFM is true / not supported, move the host to a kernel version the sensor supports, then pin kernel updates so it does not silently fall back into RFM after the next upgrade. On Windows, simply confirm the host appears as online and protected in the Falcon console host list.

4. Prepare a golden image (VDI / VM templates)

If you bake the sensor into a master image, each clone must register as a unique host. Before sealing the template, remove the agent ID so it regenerates on first boot of each clone:

sudo /opt/CrowdStrike/falconctl -d -f --aid

Here -d deletes a value and -f forces it without prompting. Failing to do this causes clones to collide on a single shared AID in the console.

5. Common troubleshooting

Sensor not appearing in the console: re-check the CID with falconctl -g --cid, confirm outbound HTTPS to the Falcon cloud is not blocked by a firewall or TLS-inspection proxy, and verify the process with ps -e | grep falcon-sensor.
No detections on Linux: check falconctl -g --rfm-state — an unsupported kernel is the usual cause.
Reviewing logs: Falcon writes to syslog; search with sudo grep -i falcon /var/log/messages | tail -n 100 (or /var/log/syslog on Debian/Ubuntu).

Need help at scale?

SKYLINE plans phased rollouts, packages silent installers for Intune/GPO/SCCM, tunes prevention policies and resolves RFM and connectivity issues across Saudi Arabia. See our CrowdStrike Falcon deployment & support service, browse the endpoint security category, or read the Falcon EDR/XDR deployment guide. Questions? Contact us on +966 50 993 9334 or via the Marketplace.

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship Endpoint Security for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops IT AMC Annual maintenance, 24/7 SLA, Bronze→Platinum

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.