[German]Microsoft has released security updates for Windows 10 and Windows 11 (and Windows Server 2016, 2019, 2022) on January 9, 2024. This update also includes a fix (according to KB5034441) to eliminate the BitLocker Security Feature Bypass vulnerability CVE-2024-20666 in the WinRE partition. This is a disaster with an announcement, as the installation fails for many users with the installation error 0x80070643 (the WinRE partition is too small). Below I summarize the information that is now known.
Update KB5034441 for Windows
Update KB5034441 is intended to close the BitLocker Security Feature Bypass vulnerability CVE-2024-20666 in Windows 10 and Windows 11 as well as in the server counterparts (Windows Server 2016, 2019, 2022). Microsoft has published the security advisory CVE-2024-20666 (BitLocker Security Feature Bypass vulnerability).
A successful attacker could bypass the BitLocker device encryption function on the system memory and thus access encrypted information on the data carrier. However, the attacker would need physical access to the target device in order to exploit this vulnerability and gain access to encrypted data. Microsoft classifies the exploitability as unlikely.
In a post, Microsoft writes that the process of updating WinRE is now fully automated for the latest versions of Windows. It also states that no additional steps are required for subsequent versions of Windows, as WinRE will be updated as part of the latest cumulative update distributed via Windows Update and WSUS:
- Windows 11 Version 23H2
- Windows 11 Version 22H2
Microsoft also mentions, that users may need to take additional steps to update the Windows Recovery Environment (WinRE) to protect them from this vulnerability, depending on the version of Windows they are using. For the following Windows versions, however, Redmond writes that an automatic solution exists. This means that the fixes will be applied automatically when the security update for January 2024 is installed:
- Windows Server 2022 (Server Core installation) (Link to KB article)
- Windows Server 2022 (Link to KB article)
- Windows Server 2022, 23H2 Edition (Server Core installation) (Link to KB article)
- Windows 10 Version 22H2 for x64-based Systems (Link to KB article)
- Windows 10 Version 22H2 for 32-bit Systems (Link to KB article)
- Windows 10 Version 21H2 for x64-based Systems (Link to KB article)
- Windows 10 Version 21H2 for 32-bit Systems (Link to KB article)
- Windows 11 version 21H2 for x64-based Systems (Link to KB article)
I have left the links from Microsoft in the list above, which refer to the relevant support articles on the relevant security updates from January 9, 2024.
Update installation error 0x80070643
Shortly after the publication of my German articles on the January 2024 patchday, numerous users reported in the comments that the update installation was failing with an error 0x80070643. Here is one such a German comment (I've translated it):
Have fun with Windows 10/11. At least on Windows 10 [the update needs a] manual intervention for installation. I got the aforementioned download error. After extending the RE partition according to the article linked in the KB and rebooting, it worked. Without rebooting after enlarging the partition, the download error kept coming back. After enlarging the partition 5 times I gave up, rebooted and it worked. Then I reduced the size of the partition again.
Admins in large companies will have a lot of fun with this. I have no idea whether this could be automated in a reasonably acceptable way.
In my the original German blog post Patchday: Windows 10-Updates (9. Januar 2024), I had even made a reference to the support article KB5034441 , which deals with the WinRE update to close the Bitlocker bypassing vulnerability (but the passage was then removed during revisions). In support article KB5034441 (refers to Windows 10), Microsoft states that the update can lead to problems if the system's partitioning scheme provides for and writes a WinRE partition that is too small:
Some computers may not have a recovery partition large enough to complete this update. For this reason, the update for WinRE may fail with the error message:
Windows Recovery Environment servicing failed.
(CBS_E_INSUFFICIENT_DISK_SPACE)may fail.
Known issue: Due to a problem in the error code handling routine, the following error message may be displayed instead of the expected error message if there is insufficient disk space: 0x80070643 – ERROR_INSTALL_FAILURE
Contradictory statements regarding update availability
The support article KB5034441 now contains information (related to Windows 10) that the update is provided via Windows Update, but not via the Microsoft Update Catalog and also not via WSUS. This explains why some administrators are no longer offered this via WSUS. However, the support articles on Windows updates linked above still state that these updates are available via WSUS and Microsoft Update Catalog.
Enlarging the WinRE partition required
To correct the installation error, a sufficiently large WinRE partition is required. Partition managers (e.g. Paragon Partition Manager, GParted) are usually able to adjust partition sizes without loss. Microsoft has published the support article KB5028997 (resizing partition), which deals with resizing partitions (the colleagues from deskmodder.de have pointed this out here). In these German comment, a reader has outlined his approach:
I have done the new MS update on 6 PCs, all W10.
4 of them no problems.
2 with (error 0x80070643)
Troubleshooting was:"Checking the Windows RE version in a Windows online operating system"
Windows command prompt
CMD
reagentc /info
If it is set to Disabled, the security update check will fail.
Then the error is not found or (error 0x80070643)
Remedy for me!
Open Windows command prompt window:
Start CMD as admin and enterReagentc /enable /auditmode
First message not found. (REAGENTC.EXE: The Windows RE image was not found).
Enter again
Reagentc /enable /auditmode
(REAGENTC.EXE: Operation successful).
Then for verification
reagentc /info
It is set to Enabled
Restart update from MS.
No more errors during the update.
For users who have enlarged the partition to 2 GB and then still receive an installation error, this is probably due to the "Disabled" attribute for the WinRE partition. Bolko and other users describe some scenarios in this German comment thread. Jackie has also described some cases in this German comment that can cause additional problems. On Facebook, a user posted his approach in a private message:
If of interest and to check; my solution for update error KB5034441:
If a recovery partition exists, formatting is usually sufficient (check in disk management).
Run command prompt as administrator, copy reagentc /info and the start configuration data ID e.g.:
12345687-abcd-1234-abcd-123456789abcIf WinRE status = Enabled:
reagentc /disable
DISKPART list disk
select disk
list diskto check, an asterisk should appear in front of the selected data partition
list partition
select partition
list partition
format quick fs=ntfs label="winRE" set id=12345687-abcd-1234-abcd-123456789abc
exitEven if HELP is displayed, everything should be OK.
reagentc /enable
If winre.wim is not found
dir /a /s c:\winre.wim
(usually c:\$WinREAgent\Backup)
reagentc /setreimage /path
If there is no recovery partition on the system hard disk, reduce the partition on which Windows is installed by 512 MB in Disk Management.
Not every user will be able to handle the procedures outlined above in this way. Nevertheless, it may help.
How to prevent failing update from re-installing
Because it was asked in the comments from German user, as the update always wants to reinstall itself if it is not withdrawn. In unmanaged environments, the update must be blocked for the Windows 10 / 11 version in question using the Show or Hide Updates tool.
Similar articles:
Office update KB5002500 from January 2, 2023 fixes OneNote 2016 sync problem
Microsoft Security Update Summary (January 9, 2024)
Patchday: Windows 10 Updates (January 9, 2024)
Patchday: Windows 11/Server 2022 Updates (January 9, 2024)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (January 9, 2024)
Do i need to install this update at all if WinRE is disabled?
no. don't even think of installing these updates, even with WinRE disabled.
not worth the risk right now. wait for a few weeks until things settle down
It's a total disgrace that Microsoft should push this flawed software onto unspecting non-technical users.
This situation is appalling. If it does not supply an automatic fix to cure or prevent this problem, Microsoft will have effectively disabled Windows for its many home non-tech Windows 10 users. Almost all of us do not use BitLocker but Microsoft still stubbornly tries to force KB5034441 on us.
People, especially old people, will have their lives ruined by the effects of KB5034441 on us now that is almost impossible to not do many things online. That includes me. This is perhaps an inevitable result of making updates compulsory.
The solution is simple. KB5034441 should be withdrawn and then modified so that it cannot mess up Windows 10 systems which do not need it. Why was KB5034441 not able to check if BitLocker is in use on their Windows 10 devices? I am amongst those users.
The Microsoft 'hide update' tool wushowhide.diagcab is very effective.
As an IT Admin I recommend waiting for a hotfix.
There is no point running this update unless you have Bitlocker Enabled.