Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary 

As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, we have released an updated recovery tool with two repair options to help IT administrators expedite the repair process. The tool automates the manual steps in KB5042421 (client) and KB5042426 (server). Download the signed Microsoft Recovery Tool from the Microsoft Download Center. You can use the tool to recover Windows clients, servers, and Hyper-V virtual machines (VM).

There are two repair options:

  • Recover from Windows PE: this option uses boot media that automates the device repair.

  • Recover from safe mode: this option uses boot media for affected devices to boot into safe mode. An administrator can then sign in using an account with local administrative privileges and run the remediation steps.

Determine which option to use

Windows PESafe Mode

This option to recover from Windows PE quickly and directly recovers systems and doesn't require local administrative privileges. If the device uses BitLocker, you may need to manually enter the BitLocker recovery key before you can repair an affected system.

If you use a non-Microsoft disk encryption solution, refer to guidance from that vendor. They should provide options to recover the drive so that you can run the remediation script from Windows PE.

This option to recover from safe mode may enable recovery on BitLocker-enabled devices without requiring the entry of BitLocker recovery keys. You need access to an account with local administrator rights on the device.

Use this option for devices in the following situations:

  • It uses TPM-only protectors.

  • The disk isn't encrypted.

  • The BitLocker recovery key is unknown.

If the device uses TPM+PIN BitLocker protectors, the user will either need to enter the PIN or you need to use the BitLocker recovery key.

If BitLocker isn't enabled, then the user only needs to sign in with an account with local administrator rights.

If you use a non-Microsoft disk encryption solution, refer to guidance from that vendor. They should provide options to recover the drive so that you can run the remediation script from safe mode.

Additional considerations

Some devices may not be allowed to connect to a USB drive. In this case, it may be better to reimage the device remotely using solutions such as Windows Autopilot.

With any recovery option, first test it on multiple devices before you use it broadly in your environment.

Create the boot media

Prerequisites to create the boot media

  1. A Windows 64-bit client with at least 8 GB of free space on which you can run the tool to create the bootable USB drive.

  2. Administrative privileges on the Windows client from prerequisite #1.

  3. A USB drive with a minimum size of 1 GB and no larger than 32 GB. The tool deletes all existing data on this drive and automatically formats it to FAT32.

Instructions to create the boot media

To create recovery media, from the 64-bit Windows client in prerequisite #1, use the following steps:

  1. Download the signed Microsoft Recovery Tool from the Microsoft Download Center.

  2. Extract the PowerShell script from the downloaded file.

  3. Open Windows PowerShell as an administrator and run the following script: MsftRecoveryToolForCS.ps1

  4. The tool downloads and installs the Windows Assessment and Deployment Kit (Windows ADK). This process might take several minutes to complete.

  5. Choose one of the two options for recovering affected devices: Windows PE or safe mode.

  6. Optionally select a directory that contains driver files to import into the recovery image. We recommend you select N to skip this step. ​​​​​​​

    1. The tool imports any SYS and INI files recursively under the specified directory.

    2. Certain devices, such as Surface devices, might need additional drivers for keyboard input.

  7. Select the option to either generate an ISO file or USB drive.

  8. If you choose the USB option:

    1. Insert the USB drive when prompted and provide the drive letter.

    2. Once the tool completes creating the USB drive, remove it from the Windows client.

Instructions to use the recovery option

Windows PESafe Mode

If you created media in the previous steps for Windows PE, use these instructions on affected devices.

Prerequisites to use the boot media for Windows PE recovery

  • You may need the BitLocker recovery key for each BitLocker-enabled and affected device.

    • If the affected device uses TPM+PIN protectors, and you don't know the PIN for the device, then you may need the recovery key.

Instructions to use the boot media for Windows PE recovery

  1. Insert the USB key into an affected device.

  2. Restart the device.

  3. During restart, press F12 to access the BIOS boot menu.

    Note: Some devices may use a different key combination to access the BIOS boot menu. Follow manufacturer-specific instructions for the device.

  4. From the BIOS boot menu, choose Boot from USB and continue. The tool runs.

  5. If BitLocker is enabled, the user will be prompted for the BitLocker recovery key. Include the dashes (-) when you enter the BitLocker recovery key. For more information on recovery key options, see Where to look for your BitLocker recovery key.

    Note: For non-Microsoft device encryption solutions, follow any steps provided by the vendor to gain access to the drive.

    1. If BitLocker isn't enabled on the device, you may still be prompted for the BitLocker recovery key. Press Enter to skip and continue.

  6. The tool runs the remediation steps as recommended by CrowdStrike.

  7. Once complete, remove the USB drive and restart the device normally.

If you created media in the previous steps for safe mode, use these instructions on affected devices.

Prerequisites to use the boot media for safe mode recovery

  • Access to the local Administrator account.

  • If the affected device uses BitLocker TPM+PIN protectors, and you don't know the PIN for the device, then you may need the BitLocker recovery key.

Instructions to use the boot media for safe mode recovery

  1. Insert the USB key into an affected device.

  2. Restart the device.

  3. During restart, press F12 to access the BIOS boot menu.

    Note: Some devices may use a different key combination to access the BIOS boot menu. Follow manufacturer-specific instructions for the device.

  4. From the BIOS boot menu, choose Boot from USB and continue.

  5. The tool runs and the following message appears:
    This tool will configure this machine to boot in safe mode. WARNING: In some cases you may need to enter a BitLocker recovery key after running.

  6. Press any key to continue. The following message appears:
    Your PC is configured to boot to Safe Mode now.

  7. Press any key to continue. The device restarts into safe mode.

  8. Run repair.cmd from the root of the media drive. The script runs the remediation steps as recommended by CrowdStrike.

  9. The following message appears:
    This tool will remove impacted files and restore normal boot configuration. WARNING: You may need BitLocker recovery key in some cases. WARNING: This script must be run in an elevated command prompt.

  10. Press any key to continue. The script runs and restores the normal boot mode.

  11. Once the tool completes successfully, the following message appears:
    Success. System will now reboot.

  12. Press any key to continue. The device restarts normally.

Use recovery media on Hyper-V virtual machines

You can use the recovery media to remediate affected Hyper-V virtual machines (VM). When you create the boot media, select the option to generate an ISO file.

Note: For non-Hyper-V VMs, follow instructions provided by your hypervisor vendor to use the recovery media.

Instructions to recovery Hyper-V virtual machines

  1. On an affected VM, add a DVD Drive under Hyper-V settings > SCSI Controller.
     

  2. Browse to the recovery ISO and add it as an Image file under Hyper-V Settings > SCSI Controller > DVD Drive.
    ​​​​​​​

  3. Note the current Boot order so that you can manually restore it later. The following image is an example of a boot order, which may be different than the configuration of your VM.
     

  4. Change the Boot order to move up the DVD Drive as the first boot entry.
     

  5. Start the VM and press any key to continue booting to the ISO image.

  6. Depending on how you created the recovery media, follow the additional steps to use the Windows PE or safe mode recovery options.

  7. Set the boot order back to the original boot settings from the VM’s Hyper-V settings.

  8. Restart the VM normally.

Contact CrowdStrike

If after following the above steps, if you still experience issues logging into your device, please reach out to CrowdStrike for additional assistance. 

Additional information

For more information on the issue impacting Windows clients and servers running the CrowdStrike Falcon agent, see the following resources:

References

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×