Microsoft Releases Repair Options for CrowdStrike Outage

In a recent update, Microsoft addressed the disruption caused by a faulty CrowdStrike update that impacted millions of Windows devices and plunged the industry into chaos. This update included a free recovery tool designed to streamline the repair process for IT administrators.

The tool automates recovery from the blue screen of death (BSOD) experienced by many users following the CrowdStrike issue. Additionally, a specific update caters to users running virtual machines within Microsoft’s Azure cloud platform.

Two repair options for most users

“As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process,” said Microsoft in an updated blog post on Sunday.

Microsoft released a new recovery tool to address the disruption caused by a recent CrowdStrike update. This tool offers IT administrators two repair options compatible with Windows clients, servers, and Hyper-V virtual machines.

Repair options

1. Recover from WinPE (recommended): This method creates bootable media that utilizes the Windows PE environment. It directly repairs affected systems without requiring local admin privileges and automatically removes the problematic file. However, if BitLocker encryption is enabled, users may need to manually enter the recovery key before repairs begin.

Microsoft says that if a system uses a third-party disk encryption solution, consult the vendor’s documentation for instructions on preparing the drive for script execution within WinPE.

2. Recover from Safe Mode: This option creates bootable media that allows devices to boot into safe mode. Users with local admin rights can then log in and manually run repair steps. This method might bypass the need for a BitLocker key on specific configurations, but it’s recommended only for:
   • Devices with TPM-only protectors (Trusted Platform Module)
   • Unencrypted devices
   • Situations where the BitLocker recovery key is unavailable

If the two initial repair methods aren’t successful, Microsoft offers a more advanced approach for IT administrators familiar with PXE (Preboot Execution Environment). This method leverages the Windows Imaging Format (WIM) file created by the recovery tool and integrates it into an existing PXE environment. However, it requires the affected devices to be on the same network subnet as the PXE server.

Alternatively, for situations where the PXE server can be easily moved across subnets, a separate PXE server approach might be more suitable.

“Fortunately, we did not suffer any consequences from the Crowdstrike incident, and neither did our clients. However, we realize that this could have happened to any cybersecurity company, and it is my hope that our community will strive to understand and learn from this incident rather than putting blame on a person or entity,” said Chris Noles, president of Beyond Computer Solutions, Inc.

Noles goes on to say that while no one can predict the next target of an incident, businesses and managed services providers can work to control readiness and recovery strategies.

“It’s not about going back to old methods or dramatically changing our computing strategies,” added Noles. “Rather, it’s about enhancing our current practices, staying informed, and being agile in our response.”

The CrowdStrike and Microsoft outage caused chaos in many sectors for several days. Read more about how MSPs can help their customers prepare for the next incident.