Steps to Recover from CrowdStrike Falcon Agent Issue on Azure VMs

Tech

microsoft cloudstrike outage recovery steps

On July 19, 2024, an issue with the CrowdStrike Falcon agent caused unresponsiveness and startup failures for Windows machines on Azure. If you’re facing this problem, follow these steps to recover your VMs:

Recovery Option: Restart Azure VMs

1. Using Azure Portal

  1. Navigate to the Azure Portal.
  2. Locate your affected VM.
  3. Click on “Restart” to initiate a reboot.
  4. Sometimes, multiple restarts might be needed.

2. Using Azure CLI or Azure Shell

Access Azure Shell at [shell.azure.com](https://shell.azure.com).

Run the command:

az vm restart –resource-group YourResourceGroupName –name YourVMName

Repeat if necessary until the issue is resolved.

Additional Recovery Options

If restarting doesn’t resolve the issue, consider these options:

Option 1: Restore from Backup

Azure Backup

  • Restore your VM from a backup taken before July 19, 2024, 04:09 UTC.
  • Follow instructions on how to restore Azure VM data in the Azure portal.

Option 2: Remove Problematic File

  • Direct File Removal
  • Use Azure CLI with PowerShell 5.1+.

Execute the following steps:

az vm repair create -g YourResourceGroupName -n YourBrokenVMName –verbose
az vm repair run -g YourResourceGroupName -n YourBrokenVMName –run-id win-crowdstrike-fix-bootloop –run-on-repair –verbose
az vm repair restore -g YourResourceGroupName -n YourBrokenVMName –verbose

This method can potentially fix the issue without detaching and reattaching disks.

Option 3: Troubleshoot OS Disk

  • Attach OS Disk to Repair VM
  • Use the Azure portal to attach the OS disk.
  • Navigate to `Windows/System32/Drivers/CrowdStrike/` and delete `C-00000291*.sys`.
  • Reattach the disk to the original VM.

Next Steps

If problems persist, contact CrowdStrike support for further assistance.

Microsoft and CrowdStrike are actively working on additional solutions, check the status here.

By following these steps, you can mitigate the impact of the CrowdStrike Falcon agent issue and restore functionality to your Azure VMs. For ongoing updates, refer to CrowdStrike’s public statement on their website.

Total
0
Share