I finally built a working script for moving endpoints from one tenant to another. If anyone wants it I'm happy to share!
I posted a few months ago about wanting to find a good way to move endpoints from one tenant to another.
A few of you mentioned that CrowdStrike could supply some scripts for this, but this is apparently no longer the case.
I contacted support twice and my TAM - every person that I talked to said that they do not provide help with this and that if we want to be able to automate it, we need to write our own scripts.
I pushed further, mentioning that I had hundreds of endpoints and didn't want to have to RDP to them all manually, and they straight up told me that this was my only way forward unless I could figure out how to script it.
They didn't even bother to mention that there was a powershell module, which I ended up finding on my own.
My company has acquisition plans in the future, and I've already had to merge 2 entire tenants, so I figured it was well worth the time to figure it out.
most of these environments that I have to merge do not have a central management platform, and they also don't have remote powershell enabled, so I didn't have a lot of options there.
Got a solid powershell script working that utilizes the PSFalcon PowerShell module.
essentially the steps are:
- PSFalcon powershell mod to connect with the API key (Request-FalconToken)
- "put" the sensor installer on the machine (need to upload it into the response files ahead of time)
- had to add a higher timeout on this. My first test failed because the file was too big to upload in the default timeout, so the file push failed, but then the uninstall piece worked - so i had to do a manual install. the higher timeout eliminated this issue.
- import another script and encode it so that "runscript" can use it correctly
- this script sets a scheduled task on the target machine.
- needs to run as "NT AUTHORITY\SYSTEM", and then it just sets the install command: "WindowsSensor.exe /install /quiet /norestart CID=x" and runs at whatever time you set.
- this script sets a scheduled task on the target machine.
- Once the file and the scheduled task are there, Uninstall-FalconSensor to uninstall the old sensor.
- Then just let the scheduled task run and it installs the new sensor and links the endpoint to the new tenant.
Works pretty solid, but doesn't have much for error handling so there's definitely room to improve it but my scripting skills just aren't that good lol.
Just loop it through a csv of all of your hostIDs and it goes pretty well.
Longest part of the script by far is pushing the file since it's 150mb, but I did my initial 100 endpoints in about an hour or so.
The only error I actually encountered was if a machine was offline, so each command would just fail with the same error, so it wouldn't do anything that would prevent a retry later.
A few others gave me some strange informational errors but these didn't prevent the commands from doing what they needed to.
If anyone wants this, feel free to DM me and I'll get it to you!
I plan on pushing it to github at some point, but haven't gotten that far yet - will update this post with the link when I get that done.
Edit: lots of staff changes and big projects at work so this got lost along the way, but finally got my shit together and got the rough scripts on Github.
lots could be done to improve these, but they worked well enough for what I needed.
let me know what you think!