Anyone affected by the flawed CrowdStrike Falcon sensor update can now visit a hub page where CrowdStrike collects all relevant information for system recovery. Despite all of the information, a lot of manual work remains necessary.

CrowdStrike bundles all information for restoring affected systems in the Centre for Renovation and Consulting: a portal page where victims of the destructive Falcon sensor update can find all relevant tips and procedures.

CrowdStrike initially published an apology from its CEO on the portal page. There you can also find the technical details of the error. Unfortunately, there is no automatic solution for systems in a boot loop.

CrowdStrike worked with Microsoft to create a recovery USB stick. Instructions on how to create one are available on the portal. Booting from this stick on an affected host will automatically delete the files causing the error.

Bitlocker

But before the stick can work, administrators have to unlock affected systems with active Bitlocker by entering the long, unique Bitlocker key. Even with the stick, recovery still requires a lot of manual effort. CrowdStrike places links on the portal showing exactly where the Bitlocker keys are located.

The bug also affects virtual machines and these need to be fixed as well. The easiest way is to restore the VMs to a snapshot from before CrowdStrike rolled out the poorly tested update, but you can also restore the VMs manually.

Systems with Intel vPro and Intel Active Management Technology can be restored remotely. This can simplify the process significantly, but administrators must also enter the BitLocker key for each affected and encrypted system.

CrowdStrike is trying to communicate the issue transparently and stresses that the outage is not a cyberattack. CrowdStrike’s systems continue to function properly, so customers remain protected from attackers.

Untested update

CrowdStrike automatically deployed an untested or insufficiently tested update to all systems running Falcon Sensor on Friday. The update installed silently and caused damage to Windows computers and servers. Affected devices get stuck in a boot loop with associated devices Bluescreen of death.

CrowdStrike stopped the (non-gradual) rollout of the destructive update too late. An estimated 8.5 million systems worldwide are affected, with immense impacts in the international aviation sector, among others.