Joint customers utilizing Rubrik for immutable backup are recommended to utilize Rubrik in-place recoveries for impacted Windows VMware Virtual Machines (VMs), standard VM restores for Azure VMs, AWS EC2 instances, and live mounts for Hyper-V and AHV VMs. For VMware VMs this significantly reduces the recovery time by only recovering the changed blocks required to revert the VM to a snapshot before the 04:09 UTC CrowdStrike host update.
This enables large groups of VMs to be reverted to a working snapshot in minutes to quickly bring your environment back online. Please consider this recovery process will bring the state of the VM to a previous point in time so any changes to the system since the recovery point will be lost. To this end, the below recovery steps enable you to choose on a per-VM basis the recovery point and subsequent decision on appropriate course of action.
For Azure VMs and AWS EC2 instances Rubrik recommends recovering the VMs using the restore VM Rubrik recovery workflow, which recovers the VM to the snapshot selected, as there is no ability to boot these VMs into safe mode. For AHV and Hyper-V the Rubrik live mount capability will give you the fastest recovery time objective.
For physical hosts Rubrik recommends the CrowdStrike manual workaround on the host for the fastest recovery method.
Recovery Steps for VMware VMs:
Login to your Rubrik Security Cloud interface
Select the Data Protection app
Go to inventory then select vSphere VMs
Select the impacted VMs in batches by name, SLA, cluster, host or tag
Click the ellipsis in the top right corner then click recover
Select closest snapshot, before, then the date and time before the update occurred at 04:09 UTC as it pertains to your current time zone (the UI uses your current time zone)
The closest available snapshot for recovery of each VM will then be displayed
Select which VMs you wish to recover and click next, if the recovery point is older than the desired potential data loss from the time between the backup and the update, Rubrik recommends the manual workaround for the windows host
Select the 3rd option down for “In-place recovery” to ensure the existing VMs are recovered in-place with no new VM created, or full data transfer required, as just the blocks required are transferred
Click next then recover, the VMs selected will now be powered off automatically, a snapshot created to roll them back, required blocks transferred, VM snapshot removed and the VM powered on
The VM will now be in a working state again prior to the update
Recovery Steps for Azure VMs:
Login to your Rubrik Security Cloud interface
Select the Data Protection app
Go to inventory then select Azure VMs
For each VM impacted, click the VM
Select the most recent snapshot from before the CrowdStrike update from the calendar view
Click recover, then select restore, click next
Leave the default selections of maintain tags and powered off unchecked, click next
Click recover to restore the VM to a working state from the last working snapshot
Recovery Steps for AWS EC2 Instances:
Login to your Rubrik Security Cloud interface
Select the Data Protection app
Go to inventory then select AWS - EC2 & Applications
For each EC2 instance impacted, click the instance
Select the most recent snapshot from before the CrowdStrike update from the calendar view
Click recover, then select restore, click next
Leave the default selections of restore tags
Click recover to restore the EC2 instance to a working state from the last working snapshot
Reach out to your Rubrik account team for any questions or help in guiding you through this recovery process. In addition, check out the links below for more details or watch our walk through demo.
Rubrik specific recovery demonstrations:
Bulk In-place VMware VM Recovery Video Walkthrough
https://vimeo.com/987220337/ea8948ce6a?share=copyBulk In-place VMware VM Recovery
https://rubrik.storylane.io/share/1iactbnuqdwvSingle In-place VMware VM Recovery
https://rubrik.storylane.io/share/hidkxd2lpghdAzure VM Recovery
https://www.rubrik.com/lp/demo/rubrik-data-protection-for-azure-vmsAWS EC2 Recovery
https://www.rubrik.com/lp/demo/rubrik-cnp-awsAHV VM Recovery
https://www.rubrik.com/lp/demo/rubrik-protection-for-nutanix-ahv
Rubrik specific documentation:
Rubrik Customer Support Portal: Advisory for CrowdStrike Falcon content update for Windows hosts
In-Place Recovery of VMware Virtual Machines
https://docs.rubrik.com/en-us/saas/common/vs_in_place_recovery.html?hl=in-place%2Crecovery%2Cvirtual%2CmachinesPerforming in-place recovery for bulk recovery of VMware Virtual Machines
https://docs.rubrik.com/en-us/saas/saas/vs_recovering_vm_bulk_using_inplace_recovery.html?hl=in-place%2Crecovery%2Cvirtual%2CmachinesPerforming an in-place orchestrated recovery plan for VMware Virtual Machines
https://docs.rubrik.com/en-us/saas/saas/performing_an_in-place_recovery.htmlPerforming the restore of an Azure VM using a snapshot
https://docs.rubrik.com/en-us/saas/saas/azr_restore_snapshot.html?hl=azure%2Cvm%2CrestorePerforming the restore of an AWS EC2 instance using a snapshot
https://docs.rubrik.com/en-us/saas/saas/restoring_an_ec2_instance_snapshot.htmlPerforming the live mount of an AHV VM
https://docs.rubrik.com/en-us/saas/cdm/ahv_vm_recovery_using_live_mount.htmlPerforming the live mount of a Hyper-V VM
https://docs.rubrik.com/en-us/saas/saas/hyper_v/hyperv_mount_batch_recovery.html?hl=mount%2Chyper-v
Crowdstrike Article