I'll pass this along in case anyone has bitlocker triggered on work stations but no recovery keys. This is from the saintcon discord, so I can't claim credit. I can validate that it works. It's modifying the windows boot menu to go into safemode, therefore allowing the TPM chip to be read and booting windows.

On Fri, Jul 19, 2024, 9:51 AM Jim Shakespear shakespear@suu.edu wrote:

Yep, happy friday. Just reboots have been solving it for many of our systems (Advanced Startup options then continue to Windows 10/11/Server). For the rest, we have to do the following steps:

1. Boot Windows into Safe Mode or WRE.
2. Go to C:\Windows\System32\drivers\CrowdStrike
3. Locate and delete file matching "C-00000291*.sys"
4. Boot normally.

Jim

On Fri, Jul 19, 2024 at 12:45 AM Eric Bennick via USHE-ISO < ushe-iso@lists.dixie.edu> wrote:

...

Are you guys up recovering servers knocked offline by CrowdStrike? ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ Are you guys up recovering servers knocked offline by CrowdStrike?

-- USHE-ISO mailing list USHE-ISO@lists.dixie.edu

https://urldefense.com/v3/__http://lists.dixie.edu/cgi-bin/mailman/listinfo/...

-- [image: suu.edu] https://www.suu.edu/ JIM SHAKESPEAR | Chief Information Security Officer / Director of IT Security / Institutional Data Privacy Officer INFORMATION TECHNOLOGY, SOUTHERN UTAH UNIVERSITY ELC513 https://map.concept3d.com/?id=821#!m/129644?s/ | (435) 865-8202