Rollout policies are the answer, and CrowdStrike should be made an example of if they were truly overriding policies set by the customer.
It seems more likely to me that nobody was expecting “fingerprint update” to have the potential to completely brick a device, and so none of the affected IT departments were setting staged rollout policies in the first place. Or if they were, they weren’t adequately testing.
Then - after the fact - it’s easy to claim that rollout policies were ignored when there’s no way to prove it.
If there’s some evidence that CS was indeed bypassing policies to force their updates I’ll eat the egg on my face.