Microsoft has been the subject of many jokes about the security of its Windows operating system for decades. Some criticism is warranted; however, the Redmond, Washington-based organization has maintained a steady cadence of stating they will improve Windows and deliver something that approximates the management objective.
All that increased security in Windows made resolving the problem that the failed definition files CrowdStrike released much more difficult. Let me explain.
CrowdStrike offers a security product called Falcon. Its job is to protect an enterprise computer from being taken over by malicious software. One set of files deployed globally on July 18, 2024, were corrupt. When Windows performed normal operations, several elements failed, and the operating system gave up, resulting in what is known in the IT industry as a BSOD – or Blue Screen of Death.
The instructions CrowdStrike eventually provided to systems administrators after they recognized the problem was to boot the failed computer into Safe Mode, delete the bad files, and reboot the computer. That way, when the computer resumed regular operation, it would obtain a clean set of files from CrowdStrike and behave normally.
So, what’s the big deal? These steps — at least at first glance — seem elementary. Well, there are some problems with this approach.
Safe Mode
Microsoft introduced Safe Mode as a mechanism to let people resolve problems in a stripped-down form of the operating system. When you start Windows in Safe Mode, the operating system does not load start-up programs or third-party applications and drivers. Only the most essential device drivers and files necessary to run the operating system are activated.
You could access Safe Mode shortly after starting your computer by repeatedly pressing the F8 key. This process worked for generations of operating systems, from Windows 95 through Windows 7.
The mechanism to access Safe Mode changed, starting with Windows 8 and continuing with Windows 10 and 11, which Microsoft touts as more secure operating systems. Most people need to access Safe Mode because the operating system won’t start properly, so the fact that Microsoft provides two very different ways to access it from within Windows indicates that someone wasn’t thinking about actual problems faced by the masses.
To access Safe Mode from a “cold start” means turning on the computer and immediately holding down the power button so the start-up is interrupted and the computer shuts down. Do these steps two more times, and you should see a pop-up with the words Startup Repair. You then must select Advanced Options, Troubleshoot, Advanced Options, Start Up Settings, Restart, and then choose from the available Safe Mode options.
It seems as if Microsoft developers designed this process to prevent anyone from accessing Safe Mode. And yes, that means that technicians had to jump through these hoops just to get started to fix the CrowdStrike problem.
But that wasn’t all that stood in the way of quickly resolving the issue.
BitLocker
BitLocker is a Windows security feature that will encrypt the contents of the hard drive on which the operating system is installed. This advanced functionality mitigates unauthorized access to a computer’s operating system drive. By password-encrypting a computer’s operating system drive, you can keep your files (and personal information) secure and protected from unwanted access.
When you activate BitLocker, Windows creates a recovery key for your hard drive so that each time you start your computer, you must provide a PIN to gain access. In an enterprise environment, that recovery key is stored in the site’s Windows Server Active Directory. And therein lies the problem.
To gain access to any device with a BSOD, a technician requires the 16-digit BitLocker key. The problem is that most of those keys are securely stored in Windows Servers, which were likely unavailable because they also experienced a BSOD. Even after technicians restored those servers, a corporate environment has hundreds or thousands of computers, and no script can automate the entry of a device’s BitLocker key – the work must be done manually.
And that is why the CrowdStrike problem was so challenging and time-consuming to resolve. The requirement to increase Windows’ security prevented a simple fix. Teams of IT specialists worked throughout the weekend to attempt to recover their company’s computers by repeatedly — and manually — going to Safe Boot, entering the BitLocker key, deleting files, and rebooting.
Several pundits have commented that CrowdStrike Falcon’s use of definition files is no better than Norton Antivirus and its signature files. As many of you know, I have stressed the need for a more thorough and heuristic approach to computer security, and using definition files is not the way to handle this.
I am incredibly proud that my choice of security vendor, SentinelOne, does not use any form of definition file. For years, it has been fantastic at keeping all my clients’ computers and servers safe. Having dodged a significant bullet, I don’t want to jinx things by saying nothing bad will ever happen. Ultimately, we all want a secure Windows operating experience and do not have to go through an unexpected nightmare.
Thanks, and safe computing!