fix your crowdstrike bsod Azure VM

PSA, repairing the Crowdstrike BSoD on Azure-hosted VMs

Hey! If you’re like us and have a bunch of servers in Azure running Crowdstrike, the past 8 hours have probably SUCKED for you! The only guidance is to boot in safe mode, but how the heck do you do that on an Azure VM??

I wanted to quickly share what worked for us:

1) Make a clone of your OS disk. Snapshot –> create a new disk from it, create a new disk directly with the old disk as source, whatever your preferred workflow is

2) Attach the cloned OS disk to a functional server as a data disk

3) Open disk management (create and format hard disk partitions), find the new disk, right click, “online”

4) Check the letters of the disk partitions: both system reserved and windows

5) Navigate to the staged disk’s Windows drive, deal with the Crowdstrike files. Either rename the Crowdstrike folder at Windows\System32\drivers\Crowdstrike as Crowdstrike.bak or similar, delete the the file matching “C-00000291*.sys”, per Crowdstrike’s instructions, whatever

From here, we found that if we replaced the disk on the server, we would get a winload.exe boot manager error instead! Don’t dismount your disk, we aren’t done yet!

6) Pull up this MS Learn doc: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/error-code-0xc000000e

7) Follow the instructions in the document to run bcdedit repairs on your boot directory. So in our case, that meant the following — replace F: and H: with the appropriate drive letters. Note that the document says you need to delete your original VM — we found that just swapping out the disk was OK and we did not need to actually delete and recreate anything, but YMMV.

bcdedit /store F:\boot\bcd /set {bootmgr} device partition=F:

bcdedit /store F:\boot\bcd /set {bootmgr} integrityservices enable

bcdedit /store F:\boot\bcd /set {af3872a5-} device partition=H:

bcdedit /store F:\boot\bcd /set {af3872a5-} integrityservices enable

bcdedit /store F:\boot\bcd /set {af3872a5-} recoveryenabled Off

bcdedit /store F:\boot\bcd /set {af3872a5-} osdevice partition=H:

bcdedit /store F:\boot\bcd /set {af3872a5-} bootstatuspolicy IgnoreAllFailures

8) NOW dismount the disk, and swap it in on your original VM. Try to start the VM.

I’m not a fan of Co-Pilot. Jerk.

Disable CoPilot/AI features on Windows 11, you can follow these steps:

  1. Remove CoPilot from the Taskbar:
    • Go to Settings > Personalization.
    • Scroll down and select Taskbar.
    • Toggle off CoPilot.
  2. Disable CoPilot Completely:
    • Click Start and search for “gpedit” to open the Group Policy Editor.
    • Navigate to User Configuration > Administrative Templates > Windows Components > Windows CoPilot.
    • Double-click Turn off Windows CoPilot.
    • Click Enabled, then Apply, and OK.

To allow it back into your life follow the Disable steps and change Enabled back to Not Configured.

Updating MikroTik from terminal

I’m always forgetting the commands so here’s the short easy version

From the Terminal menu

system/check-installation
#hopefully it says “status: installation is ok”

#if you’re upgrading from 6 to 7 it needs to know that.. If not skip the below line.
system package update set channel=upgrade

#check for updates
system package update check-for-updates

#get the update
system package update download

#reboot
system reboot

#that’s it.

pfSense on Hyper-V running slow?

Obviously I switched back to Hyper-V but my environment is built for 2gig internet. Speedtests were south of 1meg… So on each Hyper-V host I ran this powershell command for each external vmswitch to clear it up..

Set-VMSwitch -Name "The switch name" -EnableSoftwareRsc $false

Like

Set-VMSwitch -Name External -EnableSoftwareRsc $false
Set-VMSwitch -Name Bridge -EnableSoftwareRsc $false

Exchange Online easy forward rule

A really basic single line way to create new mail flow email redirection with Exchange Online, probably onprem too. The to address can be internal or external and there will be an alert that the rule has been created.

From your favorite Exchange CLI. I personally like from the Azure portal open the CLI and run Connect-EXOPSSession then I can run all my Exchange commands from whatever computer I currently have access to.

###


New-TransportRule -Name AmericasNextTopForwardRule -Priority 69 -Enabled $true -SentTo theoldaddress@awwfuckitsbroken.it -RedirectMessageTo thenewaddress@awwfuckitsbroken.it


Exchange Online mailbox too big?

Patience is important, messages might not start vanishing for a few hours but quota is freed up.

Hoping you have Exchange Online Plan 2 license so you really have the over 50 GB available.

Set-Mailbox thebigbox@windrammer.net -ProhibitSendQuota 98GB -ProhibitSendReceiveQuota 99GB -IssueWarningQuota 97GB

Clean up things? Again, it may take a few hours to see the numbers start shrinking.

Change that hold to just 0 days then?

Set-Mailbox thebigbox@windrammer.net -RetainDeletedItemsFor 0

Make sure there’s no litigation hold on anything?

Set-Mailbox thebigbox@windrammer.net -RemoveDelayReleaseHoldApplied

The run a clean up?

Start-ManagedFolderAssistant -Identity thebigbox@windrammer.net

Extra Cleanups

Search-mailbox -Identity thebigbox@windrammer.net -SearchDumpsterOnly -DeleteContent -Force
Start-ManagedFolderAssistant -Identity “thebigbox@windrammer.net ” -HoldCleanup