If anybody is wondering the impact of the Crowdstrike thing - it’s really bad. Machines don’t boot.

The recovery is boot in safe mode, log in as local admin and delete things - which isn’t automateable. Basically Crowdstrike will be in very hot water.

You know it was coming...

Crowdstrike's BSOP theme tune

I've obtained copies of the .sys driver files Crowdstrike customers have. They're garbage. Each customer appears to have a different one.

They trigger an issue that causes Windows to blue screen.

I am unsure how these got pushed to customers. I think Crowdstrike might have a problem.

For any orgs in recovery mode, I'd suspend auto updates of CS for now.

The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted. It's unclear how/why Crowdstrike delivered the files and I'd pause all Crowdstrikes updates temporarily until they can explain.

This is going to turn out to be the biggest 'cyber' incident ever in terms of impact, just a spoiler, as recovery is so difficult.

I'm seeing people posting scripts for automated recovery.. Scripts don't work if the machine won't boot (it causes instant BSOD) -- you still need to manually boot the system in safe mode, get through BitLocker recovery (needs per system key), then execute anything.

Crowdstrike are huge, at a global scale that's going to take.. some time.

Crowdstrike statement: https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3A0c379e1f-48df-493c-a11a-f6b1e3d1eb63#post

Basically 'it's not a security incident... we just bricked a million systems'