Microsoft has released a custom WinPE recovery tool to address the faulty CrowdStrike update that caused an estimated 8.5 million Windows devices to crash on Friday.
The problematic update from CrowdStrike led to millions of Windows devices worldwide experiencing Blue Screen of Death (BSOD) errors and entering reboot loops. This caused widespread IT outages, impacting airports, hospitals, banks, companies, and government agencies.
To resolve the issue, administrators initially needed to reboot affected devices into Safe Mode or the Recovery Environment and manually remove the faulty kernel driver folder. However, with potentially hundreds or thousands of devices affected, this manual process was impractical and time-consuming.
To assist IT admins and support staff, Microsoft released a custom recovery tool that automates the removal of the faulty CrowdStrike update, allowing devices to boot normally again.
“As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, we have released a USB tool to help IT Admins expedite the repair process,” states a Microsoft support bulletin.
To use the recovery tool, IT staff need a Windows 64-bit client with at least 8 GB of space, administrative privileges, a USB drive with at least 1 GB of storage, and a Bitlocker recovery key if necessary. Note that the USB drive must be 32GB or smaller to format with FAT32, which is required for booting.
The recovery tool is created using a PowerShell script downloaded from Microsoft, which must be run with administrative privileges. The script formats the USB drive, creates a custom WinPE image, and copies it to the drive, making it bootable.
After booting the impacted Windows device with the USB key, a batch file named CSRemediationScript.bat runs automatically. This script will prompt for any necessary Bitlocker recovery keys, which can be retrieved following specific steps.
This tool simplifies the recovery process, enabling IT admins to swiftly and effectively remove the problematic CrowdStrike update and restore functionality to affected Windows devices.
