On Friday 19 July, Microsoft Cloud Computing Services got Down worldwide. Reason behind, a faulty update pushed out by CrowdStrike led to an estimated 8.5 million Windows devices crashing with the notorious Blue Screen of Death (BSOD), plunging them into reboot loops. This widespread glitch resulted in massive IT outages affecting airports, hospitals, banks, companies, and government agencies globally. Many users and operations were disrupted, prompting cyber teams to act swiftly to remove the faulty CrowdStrike driver. To aid in this effort, Microsoft has released a custom Windows Repair Tool to remove the faulty CrowdStrike driver

What is Faulty CrowdStrike Driver?

CrowdStrike’s claimed outage update caused Windows devices worldwide to crash and enter continuous reboot loops, leading to significant disruptions in various sectors. Admins were left to manually reboot affected devices into Safe Mode or the Recovery Environment to remove the faulty kernel driver from the C:\Windows\System32\drivers\CrowdStrike folder. Given the scale of the issue, with potentially hundreds or thousands of devices affected within a single organization, manual fixes were deemed inefficient and overwhelming.

Tool to Remove Faulty CrowdStrike Driver

To tackle this faulty CrowdStrike driver, Microsoft has released a custom Windows Repair Tool to remove the faulty CrowdStrike driver. This tool automates the manual steps detailed in KB5042421 (client) 和 KB5042426 (server), simplifying the recovery process. The Microsoft Windows Repair Tool to Remove Faulty CrowdStrike Driver is designed to quickly and efficiently restore affected systems to normal operation. The Windows Repair Tool to Remove Faulty CrowdStrike Driver offers two recovery options: Windows PE and Safe Mode. Determining which option to use is crucial for effective recovery.

To expedite the repair process, Microsoft developed a custom recovery tool that automates the removal of the faulty CrowdStrike drive. This tool, available in the Microsoft Download Center, simplifies the remediation process, allowing IT staff to quickly restore normal functionality to impacted devices.

Key Features of the Microsoft Recovery Tool:

1. Automated Removal: The tool automates the identification and deletion of the faulty CrowdStrike driver, reducing the need for manual intervention.
2. Ease of Use: Designed to be user-friendly, the tool requires minimal setup and can be run by IT staff with basic technical knowledge.
3. Comprehensive Instructions: Detailed steps are provided for creating and using the recovery tool, ensuring a smooth remediation process.

Prerequisites for Using the Microsoft Recovery Tool

Before using the tool, IT staff need the following:

• A Windows 64-bit client with at least 8 GB of free space
• Administrative privileges on the device
• A USB drive with at least 1 GB of storage, formatted with FAT32 (note: the USB drive must be 32GB or smaller to be formatted with FAT32)
• Bitlocker recovery keys if required

Windows New PE vs. Safe Mode Recovery Options

Windows PE:

• Quick Recovery: Directly recovers systems without requiring local administrative privileges.
• BitLocker: You may need to manually enter the BitLocker recovery key before you can repair an affected system.
• Non-Microsoft Disk Encryption: Refer to the vendor’s guidance to recover the drive and run the remediation script.

Safe Mode:

• BitLocker Devices: May enable recovery on BitLocker-enabled devices without requiring the entry of BitLocker recovery keys.
• Local Administrator Rights: Requires access to an account with local administrator rights on the device.
• Use Cases: Suitable for devices with TPM-only protectors, non-encrypted disks, or unknown BitLocker recovery keys. For TPM+PIN protectors, either enter the PIN or use the BitLocker recovery key.
• Non-Microsoft Disk Encryption: Refer to the vendor’s guidance to recover the drive and run the remediation script.

Additional Considerations:

• USB Restrictions: Some devices may not allow USB drive connections. In such cases, reimaging the device remotely using solutions like Windows Autopilot may be preferable.
• Testing: Test any recovery option on multiple devices before deploying it broadly in your environment.

Steps to Create the Microsoft CrowdStrike Recovery Tool

1. Download the Tool: Access the recovery tool from the Microsoft Download Center using this link: Microsoft Recovery Tool.
2. Prepare the USB Drive: Ensure the USB drive is formatted with FAT32.
3. Run the PowerShell Script: Execute the PowerShell script downloaded from Microsoft with administrative privileges. This script will format the USB drive, create a custom WinPE image, and make the USB drive bootable.
4. Boot the Impacted Device: Insert the USB drive into the affected Windows device and boot from it. The device will automatically run a batch file named CSRemediationScript.bat.
5. Enter Bitlocker Keys: If prompted, enter any necessary Bitlocker recovery keys.
6. Delete the Faulty Driver: The script will search for and delete the faulty CrowdStrike kernel driver from the C:\Windows\System32\drivers\CrowdStrike folder.
7. Reboot the Device: Once the process is complete, the script will prompt you to press any key to reboot the device, which should now boot back into Windows normally.

Considerations and Best Practices

• Bitlocker Recovery Keys: Ensure you have retrieved any necessary Bitlocker recovery keys before attempting to recover devices. This is often the most challenging part of the process.
• No Logs or Backups: The script does not create logs or backups of the CrowdStrike driver. Ensure you are aware of this before proceeding with the remediation.
• Prepare Ahead: Given the scale of potential impact, prepare ahead by gathering Bitlocker recovery keys and understanding the full recovery process to minimize downtime.

Conclusion

As on Friday, many operations in Hong Kong and China went out-of-order. All the users must use this Microsoft Windows repair tool to remove the faulty CrowdStrike driver. This provides a streamlined solution to a widespread problem, enabling IT admins to quickly restore normal operations to impacted devices. By automating the removal process, Microsoft has significantly reduced the manual workload on IT staff, allowing organizations to recover from the disruption more efficiently. Get your systems back up and running quickly by download the Microsoft Windows Repair Tool to remove the faulty CrowdStrike driver and for more cybersecurity solutions contact us.