Microsoft has released a new USB recovery tool to help IT administrators quickly repair Windows clients and servers affected by a recent issue with the CrowdStrike Falcon agent.
The problem has been impacting numerous Windows endpoints, causing disruptions for many organizations.
The signed Microsoft Recovery Tool, now available to download in the Microsoft Download Center, aims to expedite the repair process for affected devices.
To use the tool, administrators will need to follow a set of prerequisites and instructions provided by Microsoft.
How to Use the Tool:
Prerequisites include having a working 64-bit Windows client, a USB drive with at least 8GB of space, and the BitLocker recovery key for impacted devices.
The recovery tool itself does not utilize Microsoft Intune, but Microsoft is sharing this as a support tip to assist customers in need.
Microsoft has outlined the step-by-step process for generating the USB repair solution and using it to fix impacted devices.
The company encourages users to refer to their official guidance for more information on the CrowdStrike Falcon agent issue.
Microsoft has provided detailed instructions for generating the USB repair solution and using it to fix affected devices. The process involves:
- Downloading and running the tool on a 64-bit Windows client.
- Creating a bootable USB drive with the recovery solution.
- Using the USB drive to boot the impacted device and initiate the repair process.
Instructions to Generate the WinPE Recovery Media
- Download the signed Microsoft Recovery Tool from the Microsoft Download Center.
- Extract the PowerShell script from the downloaded package.
- Run
MsftRecoveryToolForCSv2.ps1
from an elevated PowerShell prompt. The ADK will download, and media creation will begin, which may take several minutes. - Select one of the two options mentioned for recovering affected devices.
- Optionally, select a directory that contains driver files to import into the recovery image. Keyboard and mass storage drivers may be needed. Network or other drivers are not required. It is recommended to select “N” to skip this step. The tool will import any SYS and INI files recursively under the specified directory.
- Choose to generate either an ISO or a USB drive and specify the drive letter.
Prerequisites for Using the Boot Media
The BitLocker recovery key for each BitLocker-enabled impacted device may be required. For TPM-only protectors using safe boot, the recovery key is not needed. For TPM+PIN protectors, the recovery key may be necessary if the PIN is unknown.
Using Recovery from WinPE Media
- Insert the USB key into the impacted device.
- Reboot the device.
- During restart, press F12 (or follow manufacturer-specific instructions) to boot to BIOS.
- From the BIOS boot menu, choose Boot from USB and continue.
- The tool will run.
- If BitLocker is enabled, you will be prompted for the BitLocker recovery key. For third-party encryption, follow vendor-specific steps to access the drive.
- The tool will run issue-remediation scripts as recommended by CrowdStrike.
- Once complete, remove the USB drive and reboot the device normally.
Using Safe Boot Media
To repair an impacted device without using the BitLocker recovery key, if you have access to the local administrator account:
- Insert the USB key into the impacted device.
- Reboot the device.
- During restart, press F12 (or follow manufacturer-specific instructions) to boot to BIOS.
- From the BIOS boot menu, choose Boot from USB and continue.
- The tool runs.
- A message will appear: “This tool will configure this machine to boot in safe mode. WARNING: In some cases, you may need to enter a BitLocker recovery key after running.”
- Press any key to continue.
- A message will appear: “Your PC is configured to boot to Safe Mode now.”
- Press any key to continue, and the machine will reboot into safe mode.
- Run
repair.cmd
from the root of the media/USB drive. The script will execute remediation steps as recommended by CrowdStrike. - A message will appear: “This tool will remove impacted files and restore normal boot configuration. WARNING: You may need the BitLocker recovery key in some cases. WARNING: This script must be run in an elevated command prompt.” Press any key to continue, the repair will run, and normal boot flow will be restored.
- Once successful, a message will appear: “Success. System will now reboot.” Press any key to continue, and the device will reboot normally.
As organizations grapple with the fallout from this CrowdStrike issue, the release of Microsoft’s recovery tool is a welcome relief, offering a streamlined solution to get affected Windows devices back up and running.
According to the Microsoft release notes, We’ve updated the Microsoft Recovery Tool with new features and fixes based on customer feedback.
The latest version now includes a safe boot recovery option, allowing you to create recovery media as an ISO file or a USB drive, improves ADK detection when the Windows Driver Kit is installed, and corrects USB disk size checks.
Follow us on LinkedIn for Exclusive Security Research and Updates.