Blog Post

Intune Customer Success
12 MIN READ

New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Jul 20, 2024
The Microsoft Recovery Tool was updated 7/22/2024 as version 3.1. While fundamentally there are no functional changes to the tool, for the Recover from WinPE option, we have expanded the logging, rea...
Updated Aug 01, 2024
Version 14.0
support tip
BruceK825's avatar
BruceK825
Copper Contributor
Jul 21, 2024

RobYork  thanks, no worries.   I tried to handle it in the code below, in case it helps anyone.   For now, we're trying to detect Bitlocker encryption on or off based on the "manage-bde -status" command and parsing output looking for the "Lock Status:"   If its "Locked" I then parse the "Volume " line of the output to get to the drive letter.  If there's multiple drive letters this won't work well.  Maybe there's a better way, since we found the manage-bde -status output to be limited in the Windows PE environment with encryption enabled.   

 

If the target computer isn't using Bitlocker encryption, the batch file loops through drive letters A-Z and finds the one where CrowdStrike exists.  That seems to work pretty consistently.   This isn't fool-proof but hopefully someone with better .bat file skills could enhance it.    Thanks, Bruce  

 

7/22:  I haven't done .bat files in decades a colleague noticed I needed a "setlocal" at the beginning to clear variables.  Also, the parsing of "manage-bde /status" doesn't seem to work in the WinPE environment so this approach is flawed.  

 

setlocal
cls
@echo off
for /f "delims=" %%a in ('manage-bde -status') do ECHO.%%a | FIND /I "Lock Status:          Locked" > Nul &&  GoTo BitLockerOn
GoTo BitLockerOff

:BitLockerOn
for /f "delims=" %%a in ('manage-bde -status') do ECHO.%%a | FIND /I "Volume " > Nul && for /f "tokens=2" %%i in ("%%a") do set word2=%%i && set drive=%word2%
echo Using drive %drive%
echo If your device is BitLocker encrypted use your phone to log on to https://aka.ms/aadrecoverykey. Log on with your Email ID and domain account password to find the BitLocker recovery key associated with your device.
echo.
manage-bde -protectors %drive% -get -Type RecoveryPassword
echo.
set /p reckey="Enter recovery key for this drive if required: "
IF NOT [%reckey%] == [] (
	echo Unlocking drive %drive%
	manage-bde -unlock %drive% -recoverypassword %reckey%
)
Goto DeleteLogic


:BitLockerOff
for %%D in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do if exist "%%D:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"  (
	set drive=%%D:
	echo Using drive %drive%
	echo.
	Goto DeleteLogic
)

:DeleteLogic
	del %drive%\Windows\System32\drivers\CrowdStrike\C-00000291*.sys
	echo Done performing cleanup operation.