Microsoft Releases USB Recovery Tool for CrowdStrike Update Crashing Windows Endpoints

• Microsoft released an updated recovery tool for Windows machines after the faulty CrowdStrike update pushed on Friday.
• The updated fix provides the option of using a bootable USB drive to delete the troublesome CrowdStrike file automatically.
• Separate recovery steps are available for Virtual Machines running on Azure and all Windows 10 and 11 devices.

A problematic CrowdStrike update impacted Windows clients and servers on Friday, causing 8.5 million Windows machines worldwide to crash with a Blue Screen of Death (BSOD) and get stuck in reboot loops. In response, Microsoft has released an updated recovery tool with two repair options to help IT admins make the fixing process easier. 

Not all machines could automatically receive the initial fix. In some cases, IT admins needed to reboot PCs multiple times. Others had to manually boot into Safe Mode and delete the problematic CrowdStrike update file.

The new tool creates a bootable USB drive for quickly recovering affected machines. You can find the signed Microsoft Recovery Tool in the Microsoft Download Center (https://go.microsoft.com/fwlink/?linkid=2280386)

Microsoft’s recovery tool now boots into its Windows PE environment via USB, accessing the disk without booting into the local copy of Windows and automatically deleting the problematic CrowdStrike file to eliminate boot loops. 

The tool will prompt for the BitLocker recovery key first if a BitLocker encryption is present. Using this fix avoids booting into Safe Mode or having admin rights on the machine.

Separate recovery steps are available for Windows Virtual Machines (VMs) running on Azure and all Windows 10 and Windows 11 devices. When creating the recovery media for Hyper-V VMs, select the option to generate an ISO.

For devices that do not support USB connections, Microsoft recommends using the Preboot Execution Environment (PXE) option. If neither of these works for the affected device, the company suggests reimaging it.

Threat actors are already exploiting the situation to distribute Remcos RAT to CrowdStrike customers in Latin America.