How to Bypass Bitlocker for Crowdstrike BSoD (fix) - eviltoast

Took me a few hours to figure this out, figured I’d pass it along. Forgive formatting, I’m on mobile.

How to Bypass Bitlocker for Crowdstrike BSoD

Only use this if the Bitlocker key is lost.

From the Bitlocker screen, select Skip This Drive. A command prompt will appear.

Type bcdedit /set {default} safeboot network and press Enter.

Type Exit to exit the command prompt, then select Shut Down

Hardwire the device to the network

Login as an admin account

Navigate to C:\Windows\System32\Drivers\Crowdstrike and delete C:\windows\system32\drivers\crowdstrike\c-00000291-*.sys

Win+R to open the Run menu, then type msconfig and press Enter

Go to Boot

Uncheck the box for SafeBoot

You will receive a warning about Bitlocker. Proceed.

Click OK and you will be prompted to restart. Do so.

Have the user login

Test their access to files

  • Luci@lemmy.ca
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    12
    ·
    edit-2
    4 months ago

    So if this works it means bitlocker is useless.

    Cute.

    Edit: use a pin to unlock the bootloader kids.

    • SGG@lemmy.world
      link
      fedilink
      English
      arrow-up
      19
      ·
      4 months ago

      No, this means the recovery key or other external unlocks have been lost, but the TPM chip is still working correctly to provide the bitlocker key during boot.

      This is not bypassing bitlocker, simply bypassing loading the bsod causing crowdstrile driver by booting into safe mode. You still need a valid administrator account so authentication is also not compromised.

      You would still need some kind of exploit to bypass the windows login screen.

    • viking@infosec.pub
      link
      fedilink
      arrow-up
      9
      ·
      4 months ago

      No, that’s not what it means.

      If the device is wired to the LAN, the admin logon authenticates the user with the domain server, and thus decrypts the files using the credentials that are stored server-side.

      If the drive would be fully encrypted, you’d have to enter a password each time you boot the machine. That can be done, but is really not all that practical, especially not when working with a domain server / remote admin.

      For a private computer, you can have a look at Veracrypt (FOSS) if you want to have a fully encrypted drive.

      • Luci@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        7
        ·
        4 months ago

        It means the drive isn’t fully encrypted or the encryption is easy to bypass. That defeats the purpose of encrypting your drive.

        If you can get to a login screen, you’ve compromised the device.

        • OutsizedWalrus@lemmy.world
          link
          fedilink
          arrow-up
          14
          ·
          4 months ago

          That’s not what it means.

          Bit locker is encryption at-rest. Logging in with an admin account means the system is no longer “at rest”. The admin is fully authorized to be operating that system.

          • computergeek125@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            4 months ago

            Any system without network unlock usually requires a TPM PIN/PW every reboot. Your instructions (when read a certain way) imply that the command also bypasses the encryption without fetching a recovery key from the TPM or DC.

            My home network (ISC DHCPD) behaves this way - either I type the TPM key or I type the 25-char key.