this post was submitted on 19 Jul 2024
72 points (100.0% liked)

Sysadmin

7640 readers
22 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world
72
How to Bypass Bitlocker for Crowdstrike BSoD (fix) (lemmy.blahaj.zone)
submitted 3 months ago* (last edited 3 months ago) by Kit@lemmy.blahaj.zone to c/sysadmin@lemmy.world
8 comments fedilink hide all child comments
 

Took me a few hours to figure this out, figured I'd pass it along. Forgive formatting, I'm on mobile.

How to Bypass Bitlocker for Crowdstrike BSoD

Only use this if the Bitlocker key is lost.

 From the Bitlocker screen, select Skip This Drive. A command prompt will appear.

Type bcdedit /set {default} safeboot network and press Enter.

Type Exit to exit the command prompt, then select Shut Down

Hardwire the device to the network

Login as an admin account

Navigate to C:\Windows\System32\Drivers\Crowdstrike and delete C:\windows\system32\drivers\crowdstrike\c-00000291-*.sys

Win+R to open the Run menu, then type msconfig and press Enter

Go to Boot

Uncheck the box for SafeBoot

You will receive a warning about Bitlocker. Proceed.

Click OK and you will be prompted to restart. Do so.

Have the user login

Test their access to files

you are viewing a single comment's thread
view the rest of the comments
[–] Luci@lemmy.ca 3 points 3 months ago* (last edited 3 months ago) (7 children)

So if this works it means bitlocker is useless.

Cute.

Edit: use a pin to unlock the bootloader kids.

[–] SGG@lemmy.world 19 points 3 months ago

No, this means the recovery key or other external unlocks have been lost, but the TPM chip is still working correctly to provide the bitlocker key during boot.

This is not bypassing bitlocker, simply bypassing loading the bsod causing crowdstrile driver by booting into safe mode. You still need a valid administrator account so authentication is also not compromised.

You would still need some kind of exploit to bypass the windows login screen.

load more comments (6 replies)