New cybersecurity software coming to Michigan Medicine computers

October 25, 2021  //  FOUND IN: Updates & Resources

To improve Michigan Medicine’s defenses against cyberattacks and ransomware, the organization is migrating to an enhanced endpoint protection software powered by CrowdStrike Falcon.

The current endpoint protection platform, SentinelOne, will be replaced with CrowdStrike Falcon. Migrating to CrowdStrike provides a common platform across all of U-M to allow for better threat identification, mitigation and incident response activities. 

Here’s what you need to know:

  • The current cybersecurity software, SentinelOne, will be replaced with CrowdStrike Falcon on all kiosk computers between Oct. 25-27, and on CoreImage PCs starting Nov. 1. 
  • This change requires a reboot and could impact users who are on kiosk computers at the time maintenance is run (typically at 3 a.m.). 
  • This change is occurring immediately to mitigate performance issues with MiChart. 

User Impacts

When SentinelOne is removed, a reboot is required to complete the uninstallation process. 

  • Kiosk computers: Migration from SentinelOne to CrowdStrike is underway for Michigan Medicine kiosk computers from Oct. 25-27. Kiosk devices are shared computers that require user login and are typically found in clinical spaces. 
  • CoreImage PCs: Migration to CrowdStrike will occur for Michigan Medicine CoreImage PCs Nov. 1-15.

Kiosk & CoreImage PCs: What to expect

Rebooting a Kiosk or CoreImage PC will allow CrowdStrike Falcon to be registered as the primary endpoint agent for your workstation. Below are examples of a series of messages users can expect to see. 

If the computer is in-use at the time it is targeted for the SentinelOne uninstallation, logged in users will see the following dialog first. On kiosk computers, expect an automatic reboot with no deferral option. On CoreImage PCs, users can expect the option to defer the reboot.

 Users may see this notification from Windows.  This is an expected action.

Users will receive a five-minute non-deferrable reboot prompt at the end.

How Crowdstrike Falcon works

Once CrowdStrike Falcon is registered as the primary threat protection software, it will run in the background and there will be no system tray icon as with SentinelOne. If a threat is detected on the device, the user is alerted via a pop-up message and the agent intervenes and blocks the process.  

Examples of popup messages are provided below. If you see a popup, you do not need to take any action. The Cybersecurity Operations teams will be alerted behind the scenes and will monitor and evaluate the threat.

An example of when CrowdStrike intervenes and blocks a process:

An example of when CrowdStrike intervenes and quarantines a file:

If you experience any issues, please visit and submit a ticket. The IA Cybersecurity team will work to address any issues you may have.

For more about the CrowdStrike endpoint protection software, visit the U-M Safe Computing website.