BSI confirms workaround for CrowdStrike and Azure outages
According to the BSI, manually deleting a file fixes startup problems on Windows computers with CrowdStrike software. Microsoft Azure is also causing problems.
(Image: Superstar/Shutterstock.com)
On Friday afternoon, the head of the BSI, Claudia Plattner, addressed journalists at a press conference on the worldwide IT outages, which was scheduled at short notice. Plattner differentiated between two different reasons for the problems: Firstly, there was a faulty update for CrowdStrike's "Falcon Sensor" software, and secondly, Microsoft pointed to a configuration error with its Azure servers. Whether and how these events are connected was not explained, but was also not mentioned during the press conference Q&A session with the journalists.
There is also a link to this PDF in a statement from the BSI, in which the authority confirms the workaround already announced by Crowdstrike itself by deleting the file C-00000291*.sys in the directory C:\Windows\System32\drivers\CrowdStrike. If this file has the timestamp 05:27 UTC 19.07.2024 or a later date, it is already the corrected version.
According to the BSI, Crowdstrike states that systems that were only switched on after this time may not be affected by the correction. However, it appears that the corrected update did not arrive everywhere immediately on Friday morning, as 5:27 a.m. UTC corresponds to 7:27 a.m. German time. However, the outages did not become more frequent worldwide until around an hour later. According to the BSI, Microsoft also observed the first outages from 19:00 UTC the evening before.
Numerous Microsoft services unavailable
In addition to the problems with Crowdstrike, there was also a misconfiguration by Microsoft itself in its Azure system at the same time. As a result, many services such as Teams, OneDrive, Microsoft Defender and Sharepoint had no connection to the Azure servers. Microsoft points this out on the status page of its cloud services.
It will "still take a while" before all these difficulties are resolved, said BSI boss Plattner. Although numerous organizations have already brought their systems back online, the fact that the CrowdStrike file can often only be deleted manually is delaying repairs. Drives encrypted with BitLocker can also cause problems. The BSI guide also explains how to fix this and how to handle Windows installations with CrowdStrike in VMs.
(nie)
