68
How to Bypass Bitlocker for Crowdstrike BSoD (fix) (self.sysadmin)
submitted 4 months ago* (last edited 4 months ago) by Kit to c/sysadmin@lemmy.world
7 comments fedilink hide all child comments

Took me a few hours to figure this out, figured I'd pass it along. Forgive formatting, I'm on mobile.

How to Bypass Bitlocker for Crowdstrike BSoD

Only use this if the Bitlocker key is lost.

 From the Bitlocker screen, select Skip This Drive. A command prompt will appear.

Type bcdedit /set {default} safeboot network and press Enter.

Type Exit to exit the command prompt, then select Shut Down

Hardwire the device to the network

Login as an admin account

Navigate to C:\Windows\System32\Drivers\Crowdstrike and delete C:\windows\system32\drivers\crowdstrike\c-00000291-*.sys

Win+R to open the Run menu, then type msconfig and press Enter

Go to Boot

Uncheck the box for SafeBoot

You will receive a warning about Bitlocker. Proceed.

Click OK and you will be prompted to restart. Do so.

Have the user login

Test their access to files

you are viewing a single comment's thread
view the rest of the comments
[-] Kit 5 points 4 months ago

Howso? It still requires authentication, same as if the laptop booted normally.

[-] Luci@lemmy.ca 2 points 4 months ago

It means the drive isn't fully encrypted or the encryption is easy to bypass. That defeats the purpose of encrypting your drive.

If you can get to a login screen, you've compromised the device.

[-] OutsizedWalrus@lemmy.world 13 points 4 months ago

That’s not what it means.

Bit locker is encryption at-rest. Logging in with an admin account means the system is no longer “at rest”. The admin is fully authorized to be operating that system.

[-] Kit 6 points 4 months ago

Are you under the impression that you have to enter a Bitlocker key during each boot?

[-] computergeek125@lemmy.world 1 points 4 months ago* (last edited 4 months ago)

Any system without network unlock usually requires a TPM PIN/PW every reboot. Your instructions (when read a certain way) imply that the command also bypasses the encryption without fetching a recovery key from the TPM or DC.

My home network (ISC DHCPD) behaves this way - either I type the TPM key or I type the 25-char key.

this post was submitted on 19 Jul 2024
68 points (100.0% liked)

Sysadmin

7717 readers
19 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world