Let’s check whether there is any fix Windows BSOD Issue caused by Crowdstrike Update or not. All the significant organizations worldwide are impacted, and many news broadcasting agencies are down because their systems are not working.
All Windows 10 computers worldwide are getting this Blue Screen Of Death (BYOD) error. The error is: Your PC ran into a problem and needs to restart. We’re just collecting some error info, and then we’ll restart for you. 20% complete.
CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor. Symptoms include hosts experiencing a bug check or a blue screen error. Some workarounds have already been given, but you need admin access to fix this issue.
So, IT team intervention is required. The significant impact is that fixing these issues with remote management systems such as Microsoft Intune and SCCM is challenging. You can refer to the Microsoft update on this topic from here.
Microsoft added details to help recover Windows devices with faulty Crowdstricke updates. Joy even did a detailed analysis of Understanding Windows Trusted Boot—Integrity Check 1.
Not All Windows Devices are Impacted
Let’s understand that not all Windows devices are impacted here. The only one with a particular file explained below is impacted. Channel file “C-00000291 *. sys” with timestamp of 0409 UTC is the problematic version.
. Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
. Windows hosts which have not been impacted do not require any action as the problematic channel file has been
reverted.
. Windows hosts which are brought online after 0527 UTC will also not be impacted
. This issue is not impacting Mac- or Linux-based hosts
. Channel file “C-00000291 *. sys” with timestamp of 0527 UTC or later is the reverted (good) version.
. Channel file “C-00000291 *. sys” with timestamp of 0409 UTC is the problematic version.
Windows BSOD Issue caused by Crowdstrike Update
Symptoms include Windows 10 hosts experiencing a bugcheck\blue screen (BSOD) error related to the Falcon Sensor. CrowdStrike Engineering has identified a content deployment pertaining to this issue and reverted those changes.
Your organization’s Windows devices are still crashing with BSOD errors because of the Crowdstrike update, so they cannot stay online to receive the Channel File Changes.
BSOD Loop Error Windows BSOD Issue caused by Crowdstrike Update: Your PC ran into a problem and needs to restart. We’re just collecting some error info, and then we’ll restart for you. 20% complete.
This is another error message that you would be able to see for Windows devices. The heading of the error screen shows Recovery.
It looks like Windows didn’t load correctly.
If you’d like to restart and try again, choose “Restart my PC” below. Otherwise, choose “See advanced repair options”
for troubleshooting tools and advanced options. If you don’t know which option is right for you, contact someone you
trust to help with this.
The following are the options you would be able to see after the BSOD screen – See advanced repair options and Restart my PC.
Workaround FIX to Windows BSOD Issue caused by Crowdstrike Update
The manual workaround Steps to resolve the issue is given below. This action requires administrative privileges on your Windows 10 devices.
Ensure you have admin access on the devices to complete the following steps to fix the Windows BSOD issue caused by the Crowdstrike update.
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291 *. sys”, and delete it.
- Boot the host normally.
You will get the following error message when you don’t have admin access. Let’s check out the following details: Some devices might give you an error stating that the CrowdStrike folder is not available or missing.
Administrator: X:\windows\system32\cmd.exe
Microsoft Windows [Version 10.0.22621.1702]
(c) Microsoft Corporation. All rights reserved.
X:\Windows\System32>cd drivers
X:\Windows\System32\drivers>cd CrowdStrike
The system cannot find the path specified.
X:\Windows\System32\drivers>cd CrowdStrike
The system cannot find the path specified.
X:\Windows\System32\drivers>_
Intune or SCCM can FIX Windows BSOD Issue caused by Crowdstrike Update
Are you looking for an enterprise-level solution via Intune or SCCM to FIX the Windows BSOD Issue caused by Crowdstrike Update for 1000s of Windows 10 devices worldwide?
While writing this post, I found no method to fix the issue apart from running the following command with elevated permission on impacted devices.
Users report that 95% of work devices don’t have admin access, and significant device management tools such as SCCM and Intune can’t function in non-network connected devices. The BitLocker recovery key is another major challenge for enterprises.
Run the following command with elevated permissions -> del C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
PowerShell Script to Fix Windows BSOD Issue Caused by Crowdstrike Update
The IT community is here to help you fix the issue using the PowerShell Script. Note that Crowdstrike already released a new channel file version to overwrite the one that caused everything to fail. This solution would have worked if the machines booted beyond BSOD long enough for a GPO or Microsoft Intune script to run.
Source – Automated CrowdStrike BSOD Workaround in Safe Mode using Group Policy · GitHub
# CrowdStrikeFix.ps1
# This script checks for a specific driver file, deletes it if it meets criteria, and reverts Safe Mode
$filePath = "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"
$cutoffTime = Get-Date "2024-07-19 04:27:00Z"
if (Test-Path $filePath) {
$file = Get-Item $filePath
$fileTime = $file.LastWriteTimeUtc
if ($fileTime -lt $cutoffTime) {
Write-Output "[MATCH] BAD C-00000291*.sys found. Timestamp: $($fileTime.ToString('yyyy-MM-dd HH:mm:ss'))"
Remove-Item -Path $file.FullName -Force
Write-Output "Deleted: $($file.FullName)"
} else {
Write-Output "[NONMATCH] GOOD C-00000291*.sys found. Timestamp: $($fileTime.ToString('yyyy-MM-dd HH:mm:ss'))"
}
} else {
Write-Output "[NONMATCH] C-00000291*.sys not found."
}
# Revert Safe Mode Boot after Fix
bcdedit /deletevalue {current} safeboot
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.