Just curious, is there a reason why you decided to whitelist both Team ID and Bundle ID?

If I run "sqlite3 /var/db/SystemPolicyConfiguration/KextPolic"y and "SELECT * FROM kext_policy;"

Might be worth adding these in and see if it works better....

X9E956P446|com.crowdstrike.sensor|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.CSAA|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.FileInfo|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.IOServices|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Kauth|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.libreactos|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Network|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.NMR|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.platform|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.TDB|1|CrowdStrike Inc.|8

@huyinmobi
I would remove the "Approved Kernel Extensions" entries, save and try again.
Basically, what @donmontalvo said. I use this profile and it works, but I don't populate the field as mentioned above.

Yes, looks like if you specify the specific extensions (but not all of them, as @tjhall noted) then any that AREN'T explicitly on the list will NOT be allowed. It does make it confusing because your KEXT policy in Preferences > Policies applet won't show anything for the vendor unless you DO list the specific extensions, from what I've seen.

I've had no cause as of yet not to just use TEAM ID. I guess I could see circumstances where one would want some, but not all.
TEAM ID has been pretty good so far. I just deploy those on enrollment and login and all the software installs without drama on the user's end.