BitLocker workaround may offer aid for CrowdStrike customers

Some CrowdStrike customers faced an unexpected obstacle on their road to recovery this week in the form of BitLocker encryption, but a workaround may help system administrators overcome it.

In the wake of Friday's mass IT outage, which was triggered by a defective CrowdStrike update for Falcon endpoint sensors, organizations scrambled to recover their Windows systems with a manual process that required users to restart the machines in safe mode and remove the defective file. However, some organizations found the process was complicated by BitLocker, Microsoft's encryption feature designed to protect hard drives.

BitLocker-protected systems require the encryptions keys to access hard drives. And unfortunately for some organizations, those keys weren't readily available because of the mass IT outage.

However, a potential workaround for the BitLocker key prompt began to circulate on social media platforms Friday. On July 20, CrowdStrike published guidance describing a similar recovery process to the workaround posted on social media sites. "This is an experimental runbook to consider when you need to access the disk in Windows Recovery mode to delete the offending channel file when Bitlocker Recovery keys are not available," CrowdStrike said in the guidance.

The guidance recommends users cycle through restarts and blue screen of death error messages until they reach the recovery screen, then select the troubleshoot option in "Advanced Options" to restart the affected systems. Then, organizations would follow several outlined steps using the command prompt to skip the BitLocker requirement and restart the system in safe mode, enabling the user to remove the defective channel file.

The recovery method appears to work, according to infosec professionals who shared their experiences on social media. Pascal Gujer, an independent researcher and trainer at cybersecurity firm Popp Schweiz AG, told TechTarget Editorial he tested the workaround on a VM and found it worked without issue.

CrowdStrike's guidance said the workaround requires users first change the system's storage controllers from RAID to AHCI; Gujer said Windows' safe mode lacks the necessary drivers to interact with RAID. The guidance also said the workaround may require affected systems to have a physical or virtual Trusted Platform Module (TPM).

Gujer added that the workaround isn't a vulnerability in BitLocker or a bypass for the encryption. CrowdStrike's guidance merely allows the user to skip over the BitLocker key prompts and enter safe mode. "Since we only need to enable safe mode, decrypting the drive is unnecessary," he said. "After these steps, BitLocker remains intact and protected by the TPM. Safe mode still requires user credentials for login, ensuring the system's security is maintained."

For systems that use TPM with a PIN for additional authentication, Gujer said users will need to enter the PIN in order to boot Windows in safe mode.

At Black Hat USA 2024 in Las Vegas next month, Gujer and Popp Schweiz AG colleague Joel Frie are presenting two-day training sessions, titled "Defeating Microsoft's Default Bitlocker Implementation," on Aug. 3 and Aug. 5. The training sessions will demonstrate techniques for bypassing BitLocker and TPM-only configurations, which includes a hardware hack that sniffs communications between the CPU and the TPM bus.

Gujer said the training sessions are aimed primarily at penetration testers and red teams who want to show that BitLocker and TPM-only setups are not secure enough, as well as forensic examiners that need to access encrypted data. While the training isn't specifically tailored for CrowdStrike customers, the sessions will provide techniques for system administrators who need to circumvent BitLocker and TPM-only configurations. "We'll also dive into the complexities of BitLocker key handling and discuss ways to get access to key material in different locations but also mitigate potential vulnerabilities," he said.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.