Microsoft Releases the Recovery Tool

I had posted earlier regarding the issue resolved so continueing the same, I am sharing the details how to fix the issue signed methods of Microsoft. We are providing and merging authentic details from Microsoft and Crowdstrike on one platform to help expedite the repair process. Microsoft has released an updated recovery tool with two major repair options.  Microsoft Recovery Tool can be found in Download centre.

We will share here the complete recovery steps for the Windows client, Servers, and OS’s hosted on Hyper-V. The two repair options are as follows:

• Recover from WinPE – Using bootable media that will facilitate the device repair and to create bootable media can be used Recover from WinPE.
• Recover from safe mode – Impacted devices can boot into safe mode. The user can then login using an account with local admin privileges and run the remediation steps.

1. A Windows 64-bit client with at least 8GB of free space from which the tool can be run to create the bootable USB drive.
2. Administrative privileges on the Windows client from prerequisite #1.
3. A USB drive with max of 32GB. USB will be wiped and will be formatted automatically to FAT32.

Following steps on the 64-bit Windows to generate WinPE Recovery Media:

1. 1. Download the Microsoft Recovery Tool from the Microsoft Download Centre.
   2. Extract the PowerShell script.
   3. Run MsftRecoveryToolForCSv2.ps1 from an elevated PowerShell prompt.
   4. The ADK will download, and media creation will start. It may take several minutes to complete.
   5. Choose one of the two options mentioned above for recovering affected devices.
   6. Optionally select a directory that contains driver files to import into the recovery image.
   7. Select the option to either generate an ISO or USB drive and specify drive letter.

1. Insert the USB media into an impacted device and reboot it.
2. During restart, press F8/F12/Dell (or follow manufacturer-specific instructions for booting to BIOS).
3. From the BIOS boot menu, select Boot from USB and continue.
4. If BitLocker is enabled, the user will be prompted for the BitLocker recovery key including the dashes. The recovery key options are provided here. For third-party device encryption solutions, follow any steps provided by the vendor to gain access to the drive.
5. The tool will run the issue-remediation scripts as recommended by CrowdStrike.
6. Once complete, remove the USB drive and reboot the device normally.

Follow the below steps if you have access to the Local Administrator Account and want to fix the impacted device without using the Bitlocker Recovery Key:

1. 1. Insert the USB key into an impacted device and reboot it.
   2. During restart, press F8/F12/Dell (or follow manufacturer-specific instructions for booting to BIOS).
   3. From the BIOS boot menu, select Boot from USB and continue.
   4. The following message appears: “This tool will configure this machine to boot in safe mode. WARNING: In some cases, you may need to enter a BitLocker recovery key after running.”
   5. Press any key to continue.
   6. The following message appears: “Your PC is configured to boot to Safe Mode now.”
   7. Press any key to continue.
   8. The machine reboots into safe mode.
   9. The user runs repair.cmd from the root of the media/USB drive. The script will run the remediation steps as recommended by CrowdStrike.
   10. The following message appears: “This tool will remove impacted files and restore normal boot configuration. WARNING: You may need BitLocker recovery key in some cases. WARNING: This script must be run in an elevated command prompt.”
   11. Press any key to continue.
   12. The user repair will run and the normal boot flow will be restored.
   13. Once successful, the user will see the following message: “Success. System will now reboot.”
   14. Press any key to continue. The device will reboot normally.

CrowdStrike Falcon issue impacting Windows clients and servers, please check below different references from Microsoft Blogs and Crowdstrike Blog:

• • Additional recovery options are described in the following articles:
    • KB5042421: CrowdStrike issue impacting Windows endpoints causing an 0x50 or 0x7E error message on a …
    • KB5042426: CrowdStrike issue impacting Windows servers causing an 0x50 or 0x7E error message on a bl…
    • KB: New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints – Microsoft Support
    • Windows 365 Cloud PC, customers may attempt to restore their Cloud PC to a known good state prior to the release of the update (July 19, 2024) as documented here: Enterprise or Business
  • For Windows Virtual Machines running on Azure follow the mitigation steps in Azure status
  • Additional details from CrowdStrike are available here: Statement on Falcon Content Update for Windows Hosts – CrowdStrike Blog