Crowdstike pushed an agent update that causes BSODs on the server or workstation preventing it from booting up.

You have to go into the box through safe mode and delete the update and reboot.

This is hard to do when you have hundreds of boxes or are remote.

CrowdStrike created software that prevents hackers from hacking computer. CrowdStrike’s software is used by many large companies. CrowdStrike updates installed software on the computers but bypasses large companies’ usual ‘test before deploy’ procedure. Update crashes Windows. Only way to fix currently is to have administrator password and keyboard access to the computer. I hope that’s 5min…

(source: many posts on r/sysadmin)

CrowdStrike are an antivirus software provider.

They released an update which caused an error in a core Windows file that prevented a machine running CrowdStrike and Windows from booting up.

Every affected machine needed to be fixed individually (by deleting the problematic file).

Given the thousands and thousands of affected machines, turmoil ensued.

Can anyone explain why only a third of the self service checkouts were affected in my Woolworths supermarket in Australia? Why not all of them if they run off the presumably same software?

Why are so many companies reliant on this software? Is it an auto-include in Windows or something?

How does a company of this size not pick something at catastrophic as this up in testing?

Why don’t they release updates on a staged basis versus everyone all at once?

Was it some combination of CrowdStrike with some other software, or a specific driver, or specific windows version or did the affected machines take many hours before they showed the symptoms?

Because I can’t imagine that 100% of machines are immediately affected? That would indicate that CrowdStrike shipped an update to a kernel mode piece of code to millions of machines without testing it on one machine first?

The post mortem will be interesting but there *has* to be something more to this. Perhaps this was just a staged rollout to 5% of machines and it’s still larhe enough to cause this? Or maybe it was tested but still slipped trough because they tested on some env that isn’t affected? I *can not* be a big bang 100% rollout to 100% susceptible devices. That would be the largest denial of service attack ever conducted…

With something that big and impactful, shouldn’t there be some rollout / canary release ?

Is it fixed as of now? And can someone explain how they’re going to patch the computers affected, when they can’t be booted up? Do the poor IT techs worldwide have to go to every one of them, manually load back the last known safe config, before they can run the update?