KB5042429: New recovery tool to help with CrowdStrike issue impacting Windows devices

Prerequisites to create the boot media

1. A Windows 64-bit client with at least 8 GB of free space on which you can run the tool to create the bootable USB drive.

2. Administrative privileges on the Windows client from prerequisite #1.

3. A USB drive with a minimum size of 1 GB and no larger than 32 GB. The tool deletes all existing data on this drive and automatically formats it to FAT32.

Instructions to create the boot media

To create recovery media, from the 64-bit Windows client in prerequisite #1, use the following steps:

1. Download the signed Microsoft Recovery Tool from the Microsoft Download Center.

2. Extract the PowerShell script from the downloaded file.

3. Open Windows PowerShell as an administrator and run the following script: MsftRecoveryToolForCS.ps1

4. The tool downloads and installs the Windows Assessment and Deployment Kit (Windows ADK). This process might take several minutes to complete.

5. Choose one of the two options for recovering affected devices: Windows PE or safe mode.

6. Optionally select a directory that contains driver files to import into the recovery image. We recommend you select N to skip this step. ​​​​​​​

   1. The tool imports any SYS and INI files recursively under the specified directory.

   2. Certain devices, such as Surface devices, might need additional drivers for keyboard input.

7. Select the option to either generate an ISO file or USB drive.

8. If you choose the USB option:

   1. Insert the USB drive when prompted and provide the drive letter.

   2. Once the tool completes creating the USB drive, remove it from the Windows client.

Instructions to recovery Hyper-V virtual machines

1. On an affected VM, add a DVD Drive under Hyper-V settings > SCSI Controller.
    

2. Browse to the recovery ISO and add it as an Image file under Hyper-V Settings > SCSI Controller > DVD Drive.
   ​​​​​​​

3. Note the current Boot order so that you can manually restore it later. The following image is an example of a boot order, which may be different than the configuration of your VM.
    

4. Change the Boot order to move up the DVD Drive as the first boot entry.
    

5. Start the VM and press any key to continue booting to the ISO image.

6. Depending on how you created the recovery media, follow the additional steps to use the Windows PE or safe mode recovery options.

7. Set the boot order back to the original boot settings from the VM’s Hyper-V settings.

8. Restart the VM normally.

Prerequisites for PXE recovery

1. A 64-bit Windows device that hosts the boot image. This device is referred to as the “PXE server.”

   1. The PXE server can run on any supported Windows client 64-bit OS.

   2. The PXE server should have internet access to download the Microsoft PXE tool from the Microsoft Download Center. You can also copy it to the PXE server from another system on your network.

   3. The PXE server should have inbound firewall rules created for UDP ports 67, 68, 69, 547, and 4011. The downloaded PXE tool (MSFTPXEToolForCS.exe) updates the Windows Firewall settings on the PXE server. If the PXE server uses a non-Microsoft firewall solution, create rules following their recommendations.

      Note: This script doesn't clean up the firewall rules. You should remove these firewall rules after remediation is complete. To remove these rules from the Windows Firewall, open Windows PowerShell as an administrator and run the following command: MSFTPXEInitToolForCS.ps1 clean

   4. Administrative privileges to run the PXE tool.

   5. The PXE server requires the Microsoft Visual C++ Redistributable. Download and install the latest version.

2. The affected Windows devices should be on the same subnet as the PXE server. They should be hard-wired instead of using a Wi-Fi network.

Configure the PXE server

1. Download the Microsoft PXE tool from the Microsoft Download Center. Extract the contents of the zip archive to any directory. It contains all of the necessary files.

2. Open Windows PowerShell as an administrator. Change to the directory where you extracted the files and run the following command: MSFTPXEInitToolForCS.ps1

   1. The script scans for the Windows ADK and Windows PE Add-On installation on the PXE server. If they're not installed, the script installs them. To proceed with installation, review and accept the license terms.

   2. The script generates the remediation scripts and creates a valid boot image.

   3. If required, accept the prompt and provide a path containing the driver files. Driver files may be required for keyboard or mass storage devices. Generally, you won't need to add drivers. If you don't need any additional driver files, select N.

   4. You can configure the PXE server to deliver a default remediation image or a safe mode image. You'll see the following prompts:
      1. Boot to WinPE to remediate the issue. It requires entering BitLocker recovery key if system disk is BitLocker encrypted.
      2. Boot to WinPE configure safe mode and run repair command after entering safe mode. This option is less likely to require BitLocker recovery key if system disk is BitLocker encrypted.

   5. The script generates the required distribution files and provides the path where it copies the PXE server tool.

3. Double-check the prerequisites for PXE recovery, especially the Microsoft Visual C++ Redistributable.

4. From the PowerShell console as an administrator, change to the directory where the PXE server tool is copied, and run the following command to launch the listener process: .\MSFTPXEToolForCS.exe

   1. You won't see additional responses as the PXE server handles connections. Don't close this window as that will stop the PXE server.

   2. You can monitor the PXE server progress in the MSFTPXEToolForCS.log file in the same directory.

      Note: If you want to run multiple PXE servers for different subnets, copy the directory with the PXE server tool, and rerun steps 3 & 4.

Use PXE to recover an affected device

The affected device must be on the same subnet as PXE server. If the devices are in different subnets, configure IP helpers in your network environment to enable the discovery of the PXE server.

If the affected device isn't configured for PXE boot, follow these steps:

1. On the affected device, access the BIOS\UEFI menu.

   1. This action is different across different models and manufacturers. Refer to documentation provided by the original equipment manufacturer for the specific make and model of the device.

   2. Common options for accessing the BIOS\UEFI involve pressing a key like F2, F12, DEL, or ESC during the startup sequence.

2. Ensure Network boot is enabled on the device. For additional guidance, refer to documentation from the device manufacturer.

3. Configure the network boot option as the first boot priority.

4. Save the new settings. Restart the device for the settings to apply and boot from PXE.

When you PXE boot the affected device, the behavior will depend upon whether you chose Windows PE or safe mode recovery media for the PXE server.

For more information on these options, see the additional steps to use the Windows PE or safe mode recovery options.

1. For the Windows PE recovery option, the user is prompted to boot to Windows PE and the remediation script runs automatically.

2. For the safe mode recovery option, the device boots to safe mode. The user needs to sign in with the local Administrator account and manually run the script.

   1. In safe mode and signed in as the local Administrator, open Windows PowerShell as an administrator.

   2. Run the following commands:
      del %SystemRoot%\System32\drivers\CrowdStrike\C-00000291*.sys
      bcdedit /deletevalue {current} safeboot
      shutdown -r -t 00

Once complete, restart the device normally by responding to the prompt on the screen. Access the BIOS\UEFI menu and update the boot order to remove PXE boot.