As you are likely aware, a recent CrowdStrike Falcon overnight update caused an outage of Microsoft services. If your organization has been impacted and you need help recovering, please contact us immediately. As your Microsoft services partner, we are here and ready to help you get back online following the CrowdStrike outage.
Below are the detailed instructions to recover individual hosts affected by this CrowdStrike outage.
Workaround Steps for Individual Hosts – for on-premise servers and virtual machines everywhere (including in Azure):
1. Boot Windows into Safe Mode or Windows Recovery Environment:
- Boot Windows into Safe Mode or the Windows Recovery Environment.
- Note: Using a wired network connection (as opposed to WiFi) and selecting Safe Mode with Networking can facilitate the remediation process.
2. Navigate to the CrowdStrike Drivers Directory
- Navigate to %WINDIR%\System32\drivers\CrowdStrike directory
- Note: On WinRE/WinPE, navigate to the Windows\System32\drivers\CrowdStrike directory of the OS volume
3. Delete the Problematic File:
- Locate the file matching C-00000291.sys and delete it.
4. Boot the Host Normally:
- Once the problematic file has been deleted, boot the host normally.
By following these steps, you should be able to recover individual hosts affected by the recent CrowdStrike Falcon update outage.
If you encounter any issues following these steps or need further assistance, don’t hesitate to reach out to our support team. We are committed to ensuring your systems are up and running as quickly as possible.
~till next time
Ed Higgins
Executive, Director Security and Compliance Solutions, Security Office Leader
P.S. To learn more, check out this guide from CrowdStrike.