Tech

Microsoft releases USB recovery tool to address CrowdStrike-induced Windows endpoint issues

This situation is a reminder of the importance of cooperation in the tech world to solve problems quickly and effectively.
By Alex Ivanovs 2 min read
Microsoft releases USB recovery tool to address CrowdStrike-induced Windows endpoint issues

On July 20, Microsoft published a new USB recovery tool designed to assist IT administrators in resolving issues caused by a faulty update from CrowdStrike. This comes in response to a recent incident where a CrowdStrike Falcon agent update led to widespread system crashes, affecting millions of Windows clients and servers globally.

The Microsoft Recovery Tool is now available for download from the Microsoft Download Center. It aims to simplify and expedite the repair process for impacted devices. The tool requires a Windows 64-bit client with at least 8GB of free space and administrative privileges to create a bootable USB drive.

Before using the tool, administrators need to ensure they have:

  • A 64-bit Windows client with at least 8GB of free space.
  • Administrative privileges on the Windows client.
  • A USB drive with at least 1GB of space (note that all existing data on this USB will be wiped).
  • The BitLocker recovery key for each BitLocker-enabled device that needs repair.

To generate the USB repair solution, administrators should:

  • Download the Microsoft Recovery Tool from the provided link.
  • Extract the PowerShell script from the downloaded file.
  • Run the script (MsftRecoveryToolForCS.ps1) from an elevated PowerShell prompt.
  • Follow prompts to install the ADK (Assessment and Deployment Kit), which may take several minutes.
  • Optionally, select a driver directory for image import, though it is recommended to skip this step unless specific drivers are needed.
  • Insert the USB drive when prompted and provide its drive letter.
  • Once the USB creation is complete, remove the USB drive.

To repair an impacted device:

  • Insert the USB drive into the affected device.
  • Reboot the device and press F12 (or follow the manufacturer’s instructions) to access the BIOS boot menu.
  • Select the option to boot from USB.
  • If BitLocker is enabled, enter the BitLocker recovery key when prompted.
  • The tool will then run the necessary remediation scripts to fix the issue.
  • Reboot the device normally once the process is complete.

The CrowdStrike Falcon agent issue originated from a sensor configuration update that caused a system crash and the notorious Blue Screen of Death (BSOD) on Windows devices. This update, which was deployed between 04:09 UTC and 05:27 UTC on July 19, 2024, triggered a logic error in the configuration files. The affected Channel File, named “C-00000291-.sys,” was intended to enhance security by targeting newly observed malicious named pipes but instead led to widespread system crashes.

CrowdStrike has since issued a fix and provided instructions for remediation. However, for many IT administrators, the manual process of repairing each device individually presents a significant challenge. The new Microsoft USB recovery tool aims to alleviate this burden by offering a streamlined, automated solution.

Microsoft’s Intune Support Team has emphasized that this tool is shared as a support tip, despite not utilizing Microsoft Intune. They encourage users to reach out with any questions or feedback via the post or on Twitter (@IntuneSuppTeam). The team commits to providing continuous updates as needed.

Alex Ivanovs

Alex is the lead editor at Stack Diary and covers stories on tech, artificial intelligence, security, privacy and web development. He previously worked as a lead contributor for Huffington Post for their Code column.