Microsoft Released a Recovery Tool for Windows to Help with CrowdStrike Issue

In response to the CrowdStrike Falcon agent issue that affected Windows clients and servers, Microsoft has upgraded its recovery tool and provided IT administrators with two repair alternatives to speed up the repair process. To access a signed version of the Microsoft Recovery Tool, visit the Microsoft Download Center at https://go.microsoft.com/fwlink/?linkid=2280386. We provide complete recovery instructions for Windows clients, servers, and operating systems hosted on Hyper-V in this document. There are two possibilities for repair:

Recover from WinPE: This option creates boot media to help repair the device.
Recover from Safe Mode: Create boot media using the “Recover from Safe Mode” option to enable affected devices to enter Safe Mode. After that, the user can perform remedial actions by logging in with an account that has local admin access.

Choosing the Appropriate Option to use

• Recover from WinPE (ideal choice)

This technique does not require local administrator rights and restores the system quickly and directly. If Bitlocker is used on the device, you may have to manually enter the recovery key before you can fix the affected devices. If you use a third-party disk encryption solution, please consult the vendor’s instructions on how to recover the drive so that WinPE can be used to run the remediation script.

• Recover from Safe Mode

On BitLocker-enabled devices, this option may allow recovery without requiring the entry of BitLocker recovery keys. To use this option, you need to have access to a device account that has local administrator privileges. Use this method only for devices with TPM protection, unencrypted devices, or scenarios where the BitLocker recovery key is unknown. But if the user is using TPM+PIN BitLocker protectors, they will need to either use the BitLocker recovery key or input the PIN, if they know it. The user will only need to sign in using an account with local administrator permissions if BitLocker is not enabled. In the event that third-party disk encryption products are used, please cooperate with these providers to identify ways to recover the drive so that remediation scripts can be executed.

• Additional Considerations

A USB disk may not connect to some devices. In this situation it may be better to reimage the device.
Test on several devices before implementing the recovery option widely in your environment, as you should with any other.

Requirements for Making the Boot Media

• A Windows 64-bit client with at least 8 GB of free space is required to run the application and make the USB disk bootable.
• Windows client administrative rights from Prerequisite #1.
• A minimum of 1GB and a maximum of 32GB USB drive. This will automatically format the USB to FAT32 and erase all its current contents.

Guidelines for creating the WinPE recovery media

Use the 64-bit Windows client described in condition #1 to perform the following actions to create the recovery media:

• From the Microsoft get Center, obtain a signed version of the Microsoft Recovery Tool.
• From the downloaded solution, extract the PowerShell script.
• Go to an elevated PowerShell prompt and execute MsftRecoveryToolForCSv2.ps1.
• After the ADK is downloaded, media creation can begin. It may take a few minutes to finish.
• To restore the affected devices, select one of the two alternatives above (more information is provided below).
• If you want, choose a directory to import the driver files into the recovery image. Mass storage and keyboard drivers may be required. No network or other drivers required. It is recommended that you select “N” to skip this step. Any SYS and INI files will be re-imported under the directory specified by the utility.
• Select the option to designate a drive letter and create an ISO or USB disk.

Requirements to Utilize the Boot Media

A BitLocker recovery key may be required for each BitLocker-enabled affected device that uses recovery media. A recovery key is not required if the Safe Boot option is selected and you are only using TPM protectors. In case you are using TPM+PIN protectors and you are not sure about the device PIN, you may need a recovery key.

Using Recovery from WindPE Media

• Insert the USB key into the device that is infected.
• Restart the device.
• Press F12 during restart (or boot into BIOS following the instructions provided by the manufacturer).
• Select Boot from USB from BIOS boot menu and proceed.
• The device will work.
• The user will be prompted for the BitLocker recovery key, including dashes, if BitLocker is enabled. These are recovery key alternatives. If you are using a third-party device encryption solution, access the disk by following the manufacturer’s instructions.
• This program will execute CrowdStrike’s recommended issue remediation scripts.
• After it finishes, remove the USB drive and restart the device normally.

Making use of Safe Boot material

If you can access a local administrator account and are able to repair the affected device without needing a BitLocker recovery key, follow these steps:

• Insert the USB key into the device that is infected.
• Restart the device.
• Press F12 during restart (or boot into BIOS following the instructions provided by the manufacturer).
• Select Boot from USB from BIOS boot menu and proceed.
• The tool will start running.
• “This tool will configure this machine to boot in Safe Mode,” appears the following message. Warning: After running, you may occasionally need to enter the BitLocker recovery key.”
• To proceed, press any key.
• It reads, “Your PC has just been configured to boot to Safe Mode.”
• To proceed, press any key.
• The system enters Safe Mode upon reboot.
• Repair.cmd is executed by the user from the root of the media/USB drive. The script will make corrections according to CrowdStrike’s recommendations.
• “This tool will remove the infected files and restore the normal boot configuration,” is the message that displays. Warning: Bitlocker recovery key may be required in certain situations. Warning: This script requires an elevated command prompt to run.”
• To proceed, press any key.
• After the user repair is complete, the regular boot configuration will resume.
• On success the user will get the following message: “Success. The system will now reboot.
• To proceed, press any key. The device will restart normally.

Final Wording

Review the full blog post to explain the two recovery options available with the latest signed version of the Microsoft Recovery Tool. We have taken into consideration the input provided by various users who have used this tool. A new secure boot recovery option, ISO or USB generation option, a patch to detect ADK when Windows Driver Kit is installed, and a fix for USB disk size checking are all included in the latest release.