July 22, 2024 National cybersecurity agencies in the U.S., Canada, the U.K. and Australia issued security warnings about the faulty CrowdStrike Falcon update that bricked an estimated 8.5 million corporate PCs and servers around the world. At the same time Microsoft released a recovery tool over the weekend to help IT leaders automate recovery from what for some organizations was a devastating systems collapse. And CrowdStrike is testing a new technique it says will to accelerate impacted system remediation.

“We understand the gravity of this situation and are deeply sorry for the inconvenience and disruption,” CrowdStrike said in a statement on the failure, called by some the largest IT outage in history.

The company and cybersecurity experts also warned that threat actors are already taking advantage of the upheaval to push alleged CrowdStrike remediation solutions through phishing emails.

“Threat actors continue to use the widespread IT outage for phishing and other malicious activity,” warned the U.S. Cybersecurity and Infrastructure Security Agency. “CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity.”

Microsoft offered two repair options that start with downloading a recovery tool:

–recover with WinPE (Windows Presentation Environment, a lightweight version of the OS admins use for deployment of PCs), which produces a removable boot media that will help facilitate device repair.

Microsoft recommends this option. This option quickly and directly recovers systems and does not require local admin privileges. However, if Windows’ BitLocker encryption is used on the device IT may need to manually enter the BitLocker recovery key and then repair impacted systems. Environments with a third-party disk encryption solution will have to refer to vendor guidance to determine options to recover the drive so that the remediation script can be run from WinPE;

–and a process for recovery through Windows Safe Mode, which produces boot media so impacted devices can boot into safe mode. An administrator can then log in using an account with local admin privleges and run the remediation steps.

This option may enable recovery on BitLocker-enabled devices without requiring the entry of BitLocker recovery keys, says Microsoft. For this option, you must have access to an account with local administrator rights on the device. Use this approach for devices using TPM-only protectors, devices that are not encrypted, or situations where the BitLocker recovery key is unknown. However, if utilizing TPM+PIN BitLocker protectors, the user will either need to enter the PIN if known, or the BitLocker recovery key must be used.

If BitLocker is not enabled, then the user will only need to sign in with an account with local administrator rights. If third-party disk encryption solutions are utilized, please work with those vendors to determine options to recover the drive so the remediation script can be run.

“As with any recovery option,” Microsoft cautions, “test on multiple devices prior to using it broadly in your environment.”

Note that some PCs and servers that can’t connect to a USB drive may have to be re-imaged.