If this somehow works, good on Microsoft, but what the fuck are they doing on boot cycles 2-14? Can they be configured to do it in maybe 5? 3? Some computers have very long boot cycles.
There’s nothing magical about the 15th reboot - Crowdstrike runs an update check during the boot process, and depending on your setup and network speeds, it can often take multiple reboots for that update to get picked up and applied. If it fails to apply the update before the boot cycle hits the point that crashes, you just have to try again.
One thing that can help, if anyone reads this and is having this problem, is to hard wire the machine to the network. Wifi is enabled later in the startup sequence which leaves little (or no) time for the update to get picked up an applied before the boot crashes. The wired network stack starts up much earlier in the cycle and will maximize the odds of the fix getting applied in time.
That makes sense with how the article said “up to 15 times” which does sort of indicate it’s not a counter or strictly controllable process. Thank you!
I am so confused. What’s supposed to happen on the 15th reboot?
Probably triggers some auto-rollback mechanism I’d guess, to help escape boot loops? I’m just speculating.
Welp, Ars Technica has another theory:
Microsoft’s Azure status page outlines several fixes. The first and easiest is simply to try to reboot affected machines over and over, which gives affected machines multiple chances to try to grab CrowdStrike’s non-broken update before the bad driver can cause the BSOD. Microsoft says that some of its customers have had to reboot their systems as many as 15 times to pull down the update.
Yep. That makes more sense. Thanks!
That’s some high quality speculation
Just imagine if it’s a build farm with hundreds of machines. Jesus. That’s a hell I wouldn’t even wish on my worst enemy.
God damn it i’ve been rebooting it 15 times Gay. 🤦♀️
that was your first problem. if it was designed by techbros, always assume it’s Straight.
Yep, that’s definitely a fix…
It sounds exactly like a Microsoft fix.
We did get 7 computers back by 1am last night just by constantly rebooting.
That said, 40 out of 47 never came back. So clearly something more is needed.
Have you tried 15 more reboots?
there’s an easy fix. it could be done with a single boot attempt if M$ hadnt made it so needlessly difficult to enter safe mode
Many of the machines in question will have safe mode walled off for security reasons anyway.
fair enough. i can see that disabling safe mode would be a decent security measure. but by the time that kind of exploit is used, you’ve already got bad actors inside your network and there are much easier methods available to pivot to other devices and accounts.
Laptops are often taken outside the network.
Well then obviously you could opt to restrict safe mode on laptops only, or laptops and desktops allowing you to get your server infrastructure up quickly so at least the back end is running properly.
Ffs.
Servers with KVM access, could have it compromised, letting bad actors enter safe mode.
If your RMM gets compromised then you have much larger issues.
Doesn’t need to be fully compromised, but it isn’t unusual for the access credentials to some portion, to be stored on an easier to compromise system. Disabling safe mode on a server, prevents stuff like a single compromised laptop, from becoming a full server compromise.
This is what we based our KBA on to get our users back into Windows:
https://x.com/timshadyeth/status/1814210120613847118?t=DsfwJAnEyqGInjLWHpvM2w&s=19
