As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft has released an updated recovery tool with two r...

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints - Microsoft Community Hub

As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process. The signed Microsoft Recovery Tool can be found in the Microsoft Download Center: https://go.microsoft.com/fwlink/?linkid=2280386. In this post we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:

Recover from WinPE – this option produces boot media that will help facilitate the device repair.
Recover from safe mode – this option produces boot media so impacted devices can boot into safe mode. The user can then login using an account with local admin privileges and run the remediation steps.

Determining which option to use

Recover from WinPE (recommended option)
This option quickly and directly recovers systems and does not require local admin privileges. However, you may need to manually enter the BitLocker recovery key (if BitLocker is used on the device) and then repair impacted systems. If you use a third-party disk encryption solution, please refer to vendor guidance to determine options to recover the drive so that the remediation script can be run from WinPE.

Recover from safe mode
This option may enable recovery on BitLocker-enabled devices without requiring the entry of BitLocker recovery keys. For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown. However, if utilizing TPM+PIN BitLocker protectors, the user will either need to enter the PIN if known, or the BitLocker recovery key must be used. If BitLocker is not enabled, then the user will only need to sign in with an account with local administrator rights. If third-party disk encryption solutions are utilized, please work with those vendors to determine options to recover the drive so the remediation script can be run.

Additional considerations
Some devices may not be allowed to connect to a USB drive. In this case, it may be better to reimage the device.

As with any recovery option, test on multiple devices prior to using it broadly in your environment.

Prerequisites to create the boot media

A Windows 64-bit client with at least 8GB of free space from which the tool can be run to create the bootable USB drive.
Administrative privileges on the Windows client from prerequisite #1.
A USB drive with min 1GB and max of 32GB. All existing data on this USB will be wiped and will be formatted automatically to FAT32.

Instructions to generate the WinPE recovery media
To create recovery media, follow these steps on the 64-bit Windows client mentioned in prerequisite #1:

Download the signed Microsoft Recovery Tool from the Microsoft Download Center.
Extract the PowerShell script from the downloaded solution.
Run MsftRecoveryToolForCSv2.ps1 from an elevated PowerShell prompt.
The ADK will download and media creation will start. It may take several minutes to complete.
Choose one of the two options mentioned above for recovering affected devices (see additional details below).
Optionally select a directory that contains driver files to import into the recovery image. Keyboard and mass storage drivers may be needed. Network or other drivers are not required. We recommend you select “N” to skip this step. The tool will import any SYS and INI recursively under the specified directory.
Select the option to either generate an ISO or USB drive and specify drive letter.

Prerequisites for using the boot media
The BitLocker recovery key for each BitLocker-enabled impacted device on which the recover media is used may be required. If you are using TPM-only protectors and using the safe boot option, then the recovery key will not be required. If you are using TPM+PIN protectors, then you may need the recovery key if you do not know the PIN for the device.

Using Recovery from WinPE media

Insert the USB key into an impacted device.
Reboot the device.
During restart, press F12 (or follow manufacturer-specific instructions for booting to BIOS).
From the BIOS boot menu, choose Boot from USB and continue.
The tool will run.
If BitLocker is enabled, the user will be prompted for the BitLocker recovery key including the dashes. The recovery key options are provided here. For third-party device encryption solutions, follow any steps provided by the vendor to gain access to the drive.
The tool will run the issue-remediation scripts as recommended by CrowdStrike.
Once complete, remove the USB drive and reboot the device normally.

Using Safe Boot media
To repair an impacted device without using the BitLocker recovery key and if you have access to the local administrator account:

Insert the USB key into an impacted device.
Reboot the device.
During restart, press F12 (or follow manufacturer-specific instructions for booting to BIOS).
From the BIOS boot menu, choose Boot from USB and continue.
The tool runs.
The following message appears: "This tool will configure this machine to boot in safe mode. WARNING: In some cases you may need to enter a BitLocker recovery key after running."
Press any key to continue.
The following message appears: "Your PC is configured to boot to Safe Mode now."
Press any key to continue.
The machine reboots into safe mode.
The user runs repair.cmd from the root of the media/USB drive. The script will run the remediation steps as recommended by CrowdStrike.
The following message appears: "This tool will remove impacted files and restore normal boot configuration. WARNING: You may need BitLocker recovery key in some cases. WARNING: This script must be run in an elevated command prompt."
Press any key to continue.
The user repair will run and the normal boot flow will be restored.
Once successful, the user will see the following message: “Success. System will now reboot.”
Press any key to continue. The device will reboot normally.

Using recovery media on Hyper-V virtual machines
The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.

Steps to Recover Hyper-V virtual machines

On an impacted virtual machine, add a DVD Drive under Hyper-V settings > SCSI Controller.

Screenshot for where to add the DVD Drive.

Browse to the recovery ISO and add it as an Image file under Hyper-V Settings > SCSI Controller > DVD Drive.

Screenshot of where to add the image file.

Note the current Boot order so that it can be restored back manually later.

Screen shot of the original boot order.

Change the Boot order to move the added DVD Drive the first boot entry.

Screenshot of change the boot order.

Start the virtual machine and select any key on keyboard to continue booting to the ISO image.
Depending on whether the option to use WinPE or safe mode was used when creating the recovery media, follow the steps above to repair the system.
Set the boot order back to the original boot settings from the virtual machine’s Hyper-V settings.
Reboot normally.

For more information on the issue impacting Windows clients and servers running the CrowdStrike Falcon agent, please see:

A wide variety of Windows information is available at aka.ms/WRH
Additional recovery options are described in the following articles:
- KB5042421: CrowdStrike issue impacting Windows endpoints causing an 0x50 or 0x7E error message on a ...
- KB5042426: CrowdStrike issue impacting Windows servers causing an 0x50 or 0x7E error message on a bl...
- KB: New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints - Microsoft Support
- Windows 365 Cloud PC, customers may attempt to restore their Cloud PC to a known good state prior to the release of the update (July 19, 2024) as documented here: Enterprise or Business
For Windows Virtual Machines running on Azure follow the mitigation steps in Azure status
Additional details from CrowdStrike are available here: Statement on Falcon Content Update for Windows Hosts - CrowdStrike Blog

Thank you for your continued feedback through this post, support, and other feedback channels, such as @IntuneSuppTeam on X. Please note this tool does not use Microsoft Intune, but we're sharing as a Support tip to help customers. We’ll continue to provide updates to this post as needed.

Updates to this post
[7/21/2024] - Complete update of the blog post to describe the two options for recovery now using the updated signed Microsoft Recovery Tool. Many customers have used the tool and provided feedback, which we have incorporated. The new release includes a new option for recovery using safe boot, the option to generate ISO or USB, a fix for ADK detection when the Windows Driver Kit is installed, and a fix for the USB disk size check.

Source

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints

Community

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints - Microsoft Community Hub

Read previous post:

Tran Phuc Hau

You may also like

Comments

Tran Phuc Hau

Related Products

Express Connect