Microsoft has rolled out a free tool aimed at rectifying the widespread IT disruption caused by a faulty CrowdStrike update, which has left 8.5 million Windows machines non-functional. The newly released tool is intended to aid IT administrators in recovering from the dreaded blue screen of death (BSOD) boot loop, a consequence of the update mishap.
Despite CrowdStrike's efforts to issue recovery guidance and a subsequent update to address the corrupted file, the sheer scale of the issue has rendered recovery complex. Microsoft had previously advised affected users to reboot their systems multiple times, particularly those using virtual machines within Azure. This new recovery tool is designed to provide a more robust solution where simpler methods have failed.
The Microsoft CrowdStrike Recovery Tool offers two distinct repair options and is compatible with Windows clients, servers, and operating systems hosted virtually on Hyper-V. The first option, recommended by Microsoft, utilizes the Windows PE recovery environment. This method allows recovery without needing local admin privileges, automating the deletion of the corrupt file via a USB drive. However, users with BitLocker encryption will need to manually enter the recovery key.
The second option may enable recovery on BitLocker-enabled devices without the need to input the BitLocker recovery key. This method involves safe mode recovery and requires an account with local admin rights. It is suitable for devices using TPM-only protectors, those not encrypted, or in cases where the BitLocker recovery key is unknown.
Admins preparing the recovery boot media need to ensure the following prerequisites:
- A Windows 64-bit client with at least 8GB of free space.
- Administrative privileges on the Windows client.
- A USB drive with a minimum of 1GB and a maximum of 32GB, noting that all data on the USB will be wiped.
Microsoft has advised users to test the recovery tool on multiple devices before deploying it broadly in a live environment.
Meanwhile, Microsoft has attributed the massive outage partly to European Union regulations. According to Microsoft, a 2009 agreement with the European Commission prevented it from making security changes that could have blocked the faulty CrowdStrike update. This agreement, which stemmed from a competition investigation, required Microsoft to allow multiple security providers to install software at the kernel level, a critical part of the operating system.
In contrast, Apple has restricted access to the kernel on its Mac computers since 2020 to enhance security and reliability. A Microsoft spokesperson told the Wall Street Journal that due to the EU agreement, Microsoft could not implement similar changes.
The faulty CrowdStrike update caused significant disruptions, including flight cancellations, disruptions in contactless payments, and the inability of GP surgeries to make appointments. The blue screen error left millions of computers and servers unusable until fixes were applied. Despite the initial chaos, CrowdStrike reported on Monday that a significant number of affected computers were back online and apologized for the disruption.
Data from OAG showed that 9,650 flights were canceled between Friday and Sunday, with US airline Delta being heavily affected. The NHS also reported that its systems were back online but warned of potential delays as services recovered.
The European Commission's intervention in the early 2000s, which led to the 2009 agreement, aimed to prevent Microsoft from leveraging its Windows software to gain unfair advantages in other areas like web browsers. This agreement intended to enhance user choice but has now been highlighted as a factor in the recent IT disaster.
