Jump to content

Determining Devices Impacted by Crowdstrike Update

Scott Kelley
 Share

Recommended Posts

  • Employee
Scott Kelley Newbie

Scott Kelley

Posted
  • Employee
Posted (edited)

For those using Workspace ONE DEX, you can determine if you were impacted by the Crowdstrike update and your devices are having OS crashes/blue screens of death a couple ways.

  1.  you would have received an email alerting you of a new Workspace ONE Insight that shows an abnormal increase of OS Crashes that would look like this
    1. image.thumb.png.bfb7b85403682c3e505335dd2e1e377c.png
    2. If you received this alert, then you have the ability to "Create Investigation" from this alert/insight and run the guided root cause analysis engine by selecting the time frame of when the issue occurred and letting the system determine that the root cause was due to Crowdstrike application update by viewing the results. Will look like this below. NOTE: this is just an example of the rca results of a previous issue, not the results of this actual issue. We will post example RCA results of the actual Crowdstrike issue when we get an example from a customer.
    3. image.png.632afaa929aaf721bb7364460ad6744a.png
  2. you can import the attached dashboard template (json file) into your Workspace ONE Intelligence console that shows if you have an increase of OS crashes, who has Crowdstrike installed, who has Crowdstrike running and what versions of Crowdstrike were released/installed recently. Optionally, it shows if Crowdstrike spiked also caused in increase of boot degradation events which is another indicator that the device had the issue.The time range is "last 48 hours" but you can change the global filter to whatever time range you want. 
    1. Crowdstrike Falcon Update and BSOD Investigation.json Note: This will be on the Workspace ONE Marketplace on Monday, July 22nd around 3:00 PM EST
    image.thumb.png.73e76de98c240f41dc48b3301405f39d.png

    1.  

 

You can now drill into each widget and see the list of devices affected and then navigate to the per device timeline for that device to see

  1. when the OS Crash happened
    1. image.thumb.png.6aec833515b3ade3f9f6156d8c1caad8.png
  2. if that device also experienced multiple boot degradation events due to Crowdstrike Falcon Sensor
    1. image.thumb.png.1615e8f559027fdfaa88ad9c64bad468.png
  3. shows a single Boot Event that included Crowdstrike Falcon Sensor as a reason for long boot and boot degradation
    1. image.thumb.png.d0e45600f4b47b6f30c8658b52954b58.png
  4. then finally the UEM device profile that shows what version of Crowdstrike Falcon Sensor is installed. 
    1. image.thumb.png.e07ee972c88134e057f7cf59081bf754.png

Here are two remediation information links:

  1. https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
  2. https://kb.omnissa.com/s/article/6000067

 

 

image.png

Edited by Scott Kelley
  • Like 4
  • Thanks 1
  • Insightful 4
Link to comment
Share on other sites
  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Scott Kelley
Scott Kelley

For those using Workspace ONE DEX, you can determine if you were impacted by the Crowdstrike update and your devices are having OS crashes/blue screens of death a couple ways.  you would have

Posted Images

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...