CrowdStrike recently released an update that generates BSOD on devices on which the update was installed. In this article we outline a solution for this problem that can be used within Atera, to prevent any ongoing issues.
Script for BSOD issue
Our teams have created two scripts to help with the issue caused by the recent CrowdStrike update. You can upload these scripts to Atera and run them on multiple devices simultaneously.
AddAteraSafeBootNetworkAndReboot (.bat)
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AteraAgent" /f
bcdedit /set {default} safeboot network
shutdown /r /t 0
Important note: This script is required only if you already expired BSOD/Crashes.
RemoveCrowdStrikeAndRebootNormal (.ps1)
# Navigate to the specified directory
$directoryPath = "C:\Windows\System32\drivers\CrowdStrike"
$filePattern = "C-00000291*.sys"
# Check if the directory exists
if (Test-Path -Path $directoryPath) {
# Get the list of files matching the pattern
$files = Get-ChildItem -Path $directoryPath -Filter $filePattern
# Delete each file matching the pattern
foreach ($file in $files) {
Remove-Item -Path $file.FullName -Force
}
Write-Output "Files matching the pattern '$filePattern' have been deleted."
} else {
Write-Output "The directory '$directoryPath' does not exist."
}
# Reboot the system into normal mode
# Configure the boot configuration to normal mode using CMD
Start-Process cmd.exe -ArgumentList '/c bcdedit /deletevalue {default} safeboot' -Wait
# Restart the computer
Restart-Computer -Force
Upload the scripts to Atera
Once you copy the scripts, you can upload them to Atera and execute them on your devices. The following article outlines the steps required to upload the scripts to Atera. The steps are also provided below.
To upload the script to Atera:
1. From the Atera console, click on Admin, on the left side of the screen, then search for Scripts, and click on Create script.
2. On the Create script windows, add the Script Name and Short description, and select .bat for the script called AddAteraSafeBootNetworkAndReboot and .ps1 as the file type for the script called RemoveCrowdStrikeAndRebootNormal. Then simply copy and paste the scripts provided in the article inside the script editor. Then click on Create.
AddAteraSafeBootNetworkAndReboot
RemoveCrowdStrikeAndRebootNormal
The scripts have been created, now we need to take advantage of IT Automation profiles.
Add script to IT Automation profiles
Once both scripts have been added to your Atera instance, you will need to create an IT Automation profile for each script to resolve the issue. The following article details the steps required to upload the scripts to Atera, which are also provided below.
Important note: You can use other methods to run the scripts on your devices, the way you do it is up to you. Some other options would be filtering the devices page with an Advance filter and running the scripts directly from there.
To upload scripts to an IT Automation profile:
1. On your Atera console, click on Admin, on the left side of the screen, search for Patch Management and IT Automation profile and select it, then click on Add profile.
2. A new window will appear, there add the name of the profile and click on Save.
3. The new IT Automation profile window will appear. Here, click on Add Script, and upload the the first script.
4. The Select script window appears, here search for the AddAteraSafeBootNetworkAndReboot script and click on Select.
5. After selecting the script, click on Save. The first IT Automation profile is done.
Now create another IT Automation profile following the same steps and assign the script RemoveCrowdStrikeAndRebootNormal.
Now we need to assign the IT Automation profile to devices, please follow this article to learn how to assign IT Automation profiles.
How to run the scripts
The script named AddAteraSafeBootNetworkAndReboot (.bat) is the first one that needs to be executed on devices. You can run this script anytime, either manually or through an IT automation profile, but ensure it runs first. This script will boot your devices in Safe mode.
Important note: This script is required only if you already expired BSOD/Crashes.
You can run it using IT Automation profiles using the Run Now option within the IT Automation profile related to this script.
The second script, named RemoveCrowdStrikeAndRebootNormal (.ps1), should be run after the devices on which you executed the first script appear online.
You can also run this script manually with IT Automation profiles, or you can schedule it to run sometime after the first script is run on your devices.