The organization I work for thankfully wasn’t affected by the CrowdStrike incident, but I ended up assisting a subcontractor who works at our site since their IT team was of course swamped all day with calls.
This article covers two issues I ran into:
- How to get into Recovery mode on Windows 10/11 if the regular method of Restart + Shift or interrupting boot 3 times doesn’t work
- How to get into Safe Mode even if you get blocked by BitLocker
Getting into Recovery mode via SecureBoot toggling
This particular machine that was affected by the faulty CrowdStrike driver kept BSOD-ing, but it wouldn’t actually get to Recovery mode. Instead it would just boot back to the login screen and BSOD again.
I couldn’t get into Recovery mode by holding Shift while choosing Restart during the 2-3 seconds before it BSODs, and the method of interrupting Windows login by powering off the computer 3 times didn’t work either.
I accidentally discovered that a way to get into Recovery on this BitLocker enabled machine was to go into BIOS, turn SecureBoot off, and then use the BitLocker error to get into Recovery. These are the steps:
- Disabled Secure boot in BIOS and Rebooted
- At BitLocker screen, I clicked escape to get to the prompt where I can select Startup options by clicking F1
- Rebooted
- In BIOS I re-enabled SecureBoot
- Got back to the BitLocker screen. If you have a BitLocker key, enter it now and continue into Safe Mode. If you don’t have it, follow the steps below to get into Safe Mode from regular boot
- Got to Startup options and continued into Safe Mode
Getting into Safe Mode with BitLocker enable
Like I noted above, to get into Recovery Mode by toggling SecureBoot on a BitLocker enabled machine, you do need BitLocker keys. Since I was assisting a third party, I didn’t have the BitLocker keys for this computer. I followed these steps to enabled default boot into Safe Mode that allowed me to boot without having to enter BitLocker keys:
- Follow the same steps as above to get into Recovery mode
- Go to Troubleshoot > Advanced options > Command prompt
- Get a command prompt open, skip the warning about not being able to access the local drive due to BitLocker
- Run
bcdedit /set {default} safeboot minimal
orbcdedit /set {default} safeboot network
to boot into Safe Mode with networking - This forces the computer to boot into Safe Mode
- Reboot (SecureBoot should be re-enabled as above)
- Take the steps necessary to mitigate the issue (go to C:\Windows\System32\drivers\CrowdStrike, delete all C-00000291*.sys files)
- Reboot again, follow the SecureBoot BIOS steps do get back into Recovery mode
- Run
bcdedit /deletevalue {default} safeboot
to disable default booting into Safe Mode - The computer will now boot normally
I hope this helps some folks! Huge props to all IT teams working on this today. I got a weird and “safe” opportunity to mitigate this on a single machine for another organization, and working with their team was a humbling insight into how hard so many IT folks are working today. They are the real heroes of the day.
The post Mitigating the CrowdStrike outage without BitLocker keys + how to get into Windows Recovery mode via SecureBoot toggling appeared first on Vlado Vince.