An angry admin shares the CrowdStrike outage experience

Pity the administrators who dutifully kept a list of those keys on a secure server share, only to find that the server is also now showing a screen of baleful blue.

Lol, can you imagine? It empathetically hurts me even thinking of this situation. Enter that brave hero who kept the fileshare decryption key in a local keepass :D

We can't boot into safe mode because our BitLocker keys are stored inside of a service that we can't login to because our AD is down.

Someone never tested their DR plans, if they even have them. Generally locking your keys inside the car is not a good idea.

Lmao this is incredible

Another Redditor posted: "They sent us a patch but it required we boot into safe mode.

"We can't boot into safe mode because our BitLocker keys are stored inside of a service that we can't login to because our AD is down.

"Most of our comms are down, most execs' laptops are in infinite bsod boot loops, engineers can't get access to credentials to servers."

N.B.: Reddit link is from the source

I hope a lot of c-suites get fired for this. But I’m pretty sure they won’t be.

Lemmy appears to be weathering the storm quite well.....

..probably runs on linux

This is why every machine I manage has a second boot option to download a small recovery image off the Internet and phone home with a shell. And a copy of it on a cheap USB stick.

Worst case I can boot the Windows install in a VM with the real disk, do the maintenance remotely. I can reinstall the whole thing remotely. Just need the user to mash F12 during boot and select the recovery environment, possibly input WiFi credentials if not wired.

I feel like this should be standard if you have a lot of remote machines in the field.

If you have EC2 instances running Windows on AWS, here is a trick that works in many (not all) cases. It has recovered a few instances for us:

• Shut down the affected instance.
• Detach the boot volume.
• Move the boot volume (attach) to a working instance in the same region (us-east-1a or whatever).
• Remove the file(s) recommended by Crowdstrike:
• Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
• Locate the file(s) matching “C-00000291*.sys”, and delete them (unless they have already been fixed by Crowdstrike).
• Detach and move the volume back over to original instance (attach)
• Boot original instance

Alternatively, you can restore from a snapshot prior to when the bad update went out from Crowdstrike. But that is not always ideal.

I didnt know so many servers still run windows.

At least no mission critical services were hit, because nobody would run mission critical services in Windows, right?
..
RIGHT??

Sounds like the best time to unionize

lmao

It might be CrowdStrike's fault, but maybe this will motivate companies to adopt better workflows and adopt actual preproduction deployment to test these sort of updates before they go live in the rest of the systems.

80% of our machines were hit. We were working through 9pm on Friday night running around putting in bitlocker keys and running the fix. Our organization made it worse by hiding the bitlocker keys from local administrators.

Also gotta say... way the boot sequence works, combined with the nonsense with raid/nvme drivers on some machines really made it painful.

Permanently Deleted

I got super lucky. got paid for my car just before the dealership systems went down, got my return flight 2 days before this shit started.

Just a thought from experience: Be wary of any critical products and/or taking a job from a company run by an accountant. CrowdStrike CEO... accountant!

Accounting firms are an obvious exception.

Prod update on a friday morning? Non-malicious my ass.

If it only impacts a percentage of your machines then there was a problem in the deployment strategy or the solution wasn't worthwhile to begin with.

Yet again: Switch to Linux.

Why the fuck does an antivirus need a kernel driver