Key Takeaways
- CrowdStrike Falcon update caused global chaos with BSODs and bootloops on Windows devices.
- Microsoft steps in with guidance: boot into Safe Mode, delete specific file, and use Bitlocker key in some cases.
- Azure users also affected; detailed Microsoft guidance available to resolve CrowdStrike disaster.
Yesterday, the world of IT was shaken on an unprecedented scale following a faulty CrowdStike Falcon update issued on Windows devices by the cybersecurity company CrowdStrike. This led to a huge number of enterprise PCs and systems being knocked offline, entering into a bootloop state, Blue Screen of Death (BSOD), and Windows Recovery. Although CrowdStrike has documented some steps to mitigate the issue to some extent, Microsoft has now released its own guidance for IT admins to work around the problem.
What exactly is the CrowdStrike disaster?
On July 18, cybersecurity firm CrowdStrike Holdings released a kernel driver update for its Falcon agent installed on Windows endpoint devices. However, this update contained bugs, which resulted in PCs encountering BSODs with 0x50 and 0x7E errors, entering a bootloop state. This impacted enterprise entities all over the world, including airports, news companies, hospitals, software houses, and more. Although CrowdStike later reverted the update, this obviously did not fix the issue for machines which were already stuck in a bootloop.
What is Microsoft’s recommendation?
Link Image
Although CrowdStrike has issued its own mitigation steps (which you can view here), and the problem wasn’t caused by Microsoft, the Redmond tech firm has seen fit to release its own guidance for its Windows customers. On its Windows Release Health dashboard, the company recommends following the steps below:
- Start Windows into Safe Mode or the Windows Recovery Environment.
- Navigate to the C:WindowsSystem32driversCrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Restart the device.
- Recovery of systems requires a Bitlocker key in some cases.
That’s not all though; in its KB5042421 support article, Microsoft has provided even more details regarding multiple ways that you can mitigate and resolve the issue. Lastly, it’s also important to remember that Windows virtual machines running on Azure are impacted too, so IT admins managing those devices should follow the detailed guidance on offer here.