Microsoft releases a CrowdStrike recovery tool - here's how it works

Is your company home to any of the 8.5 million Windows PCs clobbered by the July 18 CrowdStrike-induced outage? If so, Microsoft has a new recovery tool designed to help you repair those corrupted computers and get them up and running again.

The outage was the result of a buggy software update from security provider CrowdStrike that impacted airports, banks, hotels, hospitals, and many other organizations. Only affecting Windows systems, the update triggered the dreaded Blue Screen of Death (BSOD) on millions of computers.

Also: What caused the great CrowdStrike-Windows meltdown of 2024?

In response, several system administrators on a Reddit thread shared a potential fix that requires you to boot a Windows PC into safe mode or the Windows Recovery Environment and delete a problematic CrowdStrike file. On Sunday, Microsoft also published steps for repairing computers suffering BSODs due to the update, which CrowdStrike cited on its own remediation page.

Each of those procedures requires several manual steps. To more fully automate the process, Microsoft devised its own recovery tool directed toward Windows clients, servers, and instances hosted on a Hyper-V virtual environment.

How it works

Unlike the fix from the system admins, Microsoft's tool automatically creates the necessary boot drive to boot up an affected computer. To use the boot media, the PC must be running a 64-bit version of Windows with at least 8GB of free space. Depending on how you boot up the computer, you may need local admin rights.

Also: Who needs ransomware when a faulty software update can shut down critical infrastructure?

You'll need a USB drive with a minimum of 1GB and a maximum of 32GB of storage. The tool will wipe all the data on the USB drive, and automatically format it to FAT32.

Like the system admin fix, Microsoft's tool also offers two options.

Safe Mode

You can start the PC in safe mode, log in using an account with local admin privileges, and then run the required repair steps. The advantage of the safe mode option is that you may be able to recover a BitLocker-enabled PC without the necessary BitLocker recovery keys. If the PC isn't secured with BitLocker, all you need to do is sign in with an account with local admin rights.

Windows Preinstallation Environment

Alternatively, you can boot the PC using the Windows Preinstallation Environment (WinPE) and then repair the computer. The WinPE option can recover a problematic PC more quickly and directly without requiring local admin rights, but you need to enter the BitLocker recovery keys for any BitLocker-enabled computer.

Microsoft's blog post on the recovery tool explains how to create and use the boot media. Based on early feedback on the tool, the company tweaked it on Sunday to add the safe boot option, let you create either a USB or ISO recovery file, and fix the USB size check.

Also: Microsoft is changing how it delivers Windows updates: 4 things you need to know

Although Microsoft's tool tries to automate the recovery steps, IT admins must visit each affected PC to implement the fix. That's a lot of work, especially in organizations with thousands or tens of thousands of computers.

Thursday's outage shows the vulnerability in becoming more dependent on technology to run critical businesses. Hopefully, it will serve as a lesson to vendors like CrowdStrike to establish stricter quality control guidelines.