CrowdStrike outages: Microsoft releases recovery tool
Microsoft has published an image for USB sticks that can be used to restore affected systems. Provided you have the BitLocker key.
(Image: Data Security Breach, Blogtrepreneur, CC BY 2.0)
The broken update of Crowdstrike's Falcon security software had such a devastating impact, mainly because physical access to each of the affected end devices is required for recovery. Microsoft's Intune support team has now provided a signed tool that even less tech-savvy users can use to restart their systems. It installs a rescue system on a USB stick. After booting, this executes the commands recommended by Crowdstrike to get the affected system up and running again.
Recovery with USB stick
According to Microsoft, a client with any 64-bit Windows system and administrator rights on this system is required to create the bootable stick. A PowerShell script then loads the image and installs it on the stick. Microsoft provides step-by-step instructions for subsequent use on its website. If the file system of the affected computer is backed up by BitLocker, users are prompted to enter their BitLocker key during the recovery process, provided of course that users or administrators have it to hand or can find it again. Without it, the recovery system has no access to the encrypted file system and cannot delete the problematic file.
The reason for the worldwide outage of countless Windows computers was a faulty update that caused the kernel driver of the Falcon agent CSAgent.sys to crash. It was automatically installed on all systems that used the CrowdStrike software and were online last Friday from 06:09 to 07:27 German time. The exact cause of the error, which according to an initial estimate by Microsoft affected at least 8.5 million devices, is still being analyzed. The IT security expert Patrick Wardle is apparently the closest to the cause at the moment.
(ulw)
