Critical Update: Mitigation Steps for CrowdStrike-Induced BSOD

A recent auto-update from CrowdStrike Falcon Agent has been identified as causing affected Windows machines worldwide to enter a Blue Screen of Death (BSOD) state. 

CrowdStrike has rolled out a new patch that fixes this issue, however; it only assists endpoints that can still boot successfully. For systems stuck in a boot loop, manual intervention is necessary. This is not a cyberattack, but at this time, seems to be caused by a faulty CrowdStrike Falcon Agent update. 

Many scripted solutions have already emerged, but please note that these scripts depend on the device booting, and will not be effective on devices that have already been affected. 

Currently, manual intervention is the only way to mitigate the affected devices. Below are the steps to mitigate: 

• Boot into Safe Mode or Windows Recovery Environment:

  • For systems with Bitlocker enabled, you will need the Bitlocker key to proceed.

• Navigate  to C:\Windows\System32\drivers\CrowdStrike

• Locate and delete the file matching C-00000291*.sys.

• Reboot the system, and boot the host normally.

If the system utilizes BitLocker, booting into safe mode will require the BitLocker decryption keys to access the system and encrypted disk. 

For customers who have utilized Automox to generate and store their Bitlocker keys, these can be quickly accessed within the Automox console. This feature ensures you have the necessary information at your fingertips, streamlining the recovery process.

For recovery of Bitlocker keys through Microsoft, see https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/BitLocker/recovery-process. 

If your Bitlocker keys are stored on an affected on-prem server, you can either restore from a backup or start searching through your desk or safe for the golden USB key.