CrowdStrike issue impacting Windows endpoints causing an error message on a blue screen

Originally posted by Microsoft Jul 19, 2024 Uncategorized 0 Comments

Updated on July 21, 2024: As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process. Based on customer feedback, this new release includes a new option for recovery using safe boot, the option to generate ISO or USB, a fix for ADK detection when the Windows Driver Kit is installed, and a fix for the USB disk size check. See the revised New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints for detailed instructions on using the signed Microsoft Recovery Tool.

Updated on July 20, 2024: Microsoft has released KB5042426, which contains step-by-step guidance for Windows Servers hosted on-premises that are running the CrowdStrike Falcon agent and encountering a 0x50 or 0x7E error message on a blue screen. We will continue to work with CrowdStrike to provide the most up-to-date information available on this issue. 

A new USB Recovery Tool is available to help IT admins expedite the repair process. The new tool can be found in the Microsoft Download Center. Read more about the new recovery tool and usage instructions at New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints.

Updated on July 19, 2024: A new Knowledge Base article, KB5042421, with additional step-by-step guidance is now available for Windows 11 and Windows 10 clients. We will continue to work with CrowdStrike to provide up-to-date mitigation information as it becomes available.

To mitigate this issue, follow these steps:

Microsoft has identified an issue impacting Windows endpoints that are running the CrowdStrike Falcon agent. These endpoints may encounter an error message on a blue screen and experience a continual restarting state.

We have received reports of successful recovery from some customers attempting multiple restart operations on affected Windows endpoints.

  1. Start Windows into Safe Mode or the Windows Recovery Environment.
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  3. Locate the file matching “C-00000291*.sys” and delete it.
  4. Restart the device.
  5. Recovery of systems requires a Bitlocker key in some cases.

For Windows Virtual Machines running on Azure follow the mitigation steps in Azure status.

Additional details from CrowdStrike are available here: Statement on Windows Sensor Update – CrowdStrike Blog.

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: