[German]The security update rolled out on January 9, 2024 via automatic update (e.g. KB5034441) against a BitLocker Security Feature Bypass vulnerability CVE-2024-20666 in the WinRE partition fails on many systems with the installation error 0x80070643. Somehow this is a disaster with an announcement – and many users are not able to fix this installation error. Last week, Microsoft published PowerShell scripts that are supposed to fix the cause of the installation error 0x800706431. I have summarized some information about this in an addendum.
What is CVE-2024-20666 about?
There is a BitLocker Security Feature Bypass vulnerability CVE-2024-20666 in Windows that allows an attacker with physical access to the system to gain access to BitLocker-encrypted data via the BitLocker Device Encryption feature. Windows 10, Windows 11 and Windows Server 2016, 2019, 2022 are potentially affected.
To eliminate the vulnerability, an update should ensure that the Windows Recovery Environment (WinRE) is updated. Microsoft has published some information on this under KB5034441 and is rolling out a corresponding patch to all devices via Windows Update. In the article on CVE-2024-20666, Microsoft states that the WinRE environment for Windows 11 22H2 and 23H2 should be updated automatically.
Updates for the Windows Recovery Environment are available for Windows 10 21H2 – 22H2, Windows 11 21H2 and Windows Server 2022 (including the 23H2 edition), which should automatically apply the latest dynamic Safe OS update from the running Windows operating system to WinRE. Details can be found in the article on CVE-2024-20666.
Update throws installation error 0x80070643
Since January 9, 2024, the automatic installation of the relevant security updates under Windows has failed for many users with the installation error 0x80070643. Corresponding comments can be found here in the blog (see e.g. here), distributed across the blog posts linked at the end of the article. The following causes have crystallized:
- The system does not have a recovery partition large enough to complete this update.
- There is no WinRE partition available on the system or this partition is not activated with the correct flags.
I had given some hints in the blog post Windows WinRE update (for Bitlocker Bypassing vulnerability CVE-2024-20666) fails with installation error 0x80070643 (Jan. 2024, KB5034441) on how experienced users can find (and fix) the cause of the error message:
0x80070643 – ERROR_INSTALL_FAILURE
Windows Recovery Environment servicing failed.
(CBS_E_INSUFFICIENT_DISK_SPACE)
(adjust the size of the WinRE partition and activate it if necessary). The colleagues from German site deskmodder.de also work on this topic in this article and have improved the instructions from Microsoft in this article. In the meantime, Microsoft has also revised the description in the article on CVE-2024-20666 and KB5034441.
Some users also report that they are no longer being offered the faulty update. It is still unclear to me whether the update has been withdrawn. Users for whom the update keeps trying to install itself can try to block it in unmanaged environments under Windows 10 / 11 using the Show or Hide Updates tool.
Microsoft's PowerShell scripts should fix it
Last week, Microsoft then published PowerShell scripts to eliminate the causes of the installation error 0x80070643. A blog reader had pointed this out in this German comment. I had seen the topic on January 11, 2023 at Bleeping Computer in this post too.
Microsoft now offers two PowerShell scripts in the support article KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666 to automate the update of the Windows Recovery Environment (WinRE) with regard to CVE-2024-20666. There are two PowerShell scripts::
- PatchWinREScript_2004plus.ps1 or Windows 10 version 2004 and later versions, including Windows 11. This variant is recommended.
- PatchWinREScript_General.ps1 for Windows 10, version 1909 and earlier versions, but can be run on all versions of Windows 10 and Windows 11.
According to Microsoft's description, the PowerShell script then performs the following operations:
- Mounts the existing WinRE image (WINRE.WIM)
- Updates the WinRE image with the specified package for the dynamic operating system update (compatibility update) available in the Windows Update Catalog.
- Deactivates the WinRE image
- If BitLocker TPM is active, WinRE is reconfigured for the BitLocker service
In the barely documented script code, it can be seen that the WinRE partition is created with the following command:
Dism /image:$mountDir /cleanup-image /StartComponentCleanup /ResetBase
is also cleaned up. The support article KB5034957 also lists parameters that an administrator should specify to execute the PowerShell script in the PS console. A call could look like this:
.\PatchWinREScript_2004plus.ps1 -packagePath "\\server\share\windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d.cab
German blog reader Rafael points out in this comment that the Safe OS package can be downloaded from the Windows Update Catalog for the relevant Windows version.
The colleagues from Bleeping Computer also refer in their article to a second approach Fixing WinRE Update Issues for CVE-2024-20666 and KB5034441 on the site action1.com, where PowerShell scripts are also offered to fix the problem.
My(eine) 2 Cents
This approach will not work for normal users as it is simply too complicated. Especially users in the consumer environment, whose systems are not encrypted with Bitlocker anyway, will not be able to do anything with the above approaches. It is absolutely incomprehensible to me that Microsoft is rolling out such an update on the first patch day after Christmas and the turn of the year via Windows Update and causing installation errors for a large number of users.
In my opinion, Microsoft will have to make significant improvements. The approach of forcing users into an administrative prompt windows in order to operate with partitions or PowerShell scripts is simply a bankruptcy declaration from Redmond. Although they are puffing out their cheeks with the possibilities of Copilot, but they don't even manage to provide an update program that reliably eliminates the vulnerability.
What is the status for you, were you able to install the update without errors and if so, how? Incidentally, the update is still not offered on my Windows 10 2019 IoT LTSC.
Similar articles:
Office update KB5002500 from January 2, 2023 fixes OneNote 2016 sync problem
Microsoft Security Update Summary (January 9, 2024)Patchday: Windows 10 Updates (January 9, 2024)
Patchday: Windows 11/Server 2022 Updates (January 9, 2024)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (January 9, 2024)
Windows WinRE update (for Bitlocker Bypassing vulnerability CVE-2024-20666) fails with installation error 0x80070643 (Jan. 2024, KB5034441)
"Especially users in the consumer environment, whose systems are not encrypted with Bitlocker anyway"
wrong.
at some point, systems started getting bitlocker encrypted automatically, with VMK sealed by TPM only and a recovery key escrowed with Microsoft: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption
dbx updates in the past have caused actual data loss because of this. i was told this was because of a servicing stack bug which has since been fixed…
I'm aware of this case – see Windows 10/11 Home Edition and the OEM Bitlocker pitfall. Nevertheless: Systems without TPM und with non encrypted system volumes are not affected.
But this is the wrong battle! The thing is: Microsoft has to fix things to allow ordinary users to update their machines without troubleshooting or ordering a specialist to fix things.
Meine 2 Cents
In English, we call it "My two pence worth". I didn't realise that it is multi-lingual.
Microsoft provides a tool to deal with bad updates: –
wushowhide.diagcab
Chris Pugson
:-)
although KB5034441 only applies to Windows 10 21H2 & 22H2, guenni.
KB5034440 is the Windows 11 RTM/21H2 equivalent to KB5034441
This powershell script that microsoft provided did not apply the patch without customization.
I needed to comment out:
if ($hasUpdated)
{
LogMessage("The update has already been added to WinRE")
SetRegistrykeyForSuccess
return $False
}
After this the patch was applied, but the script was not able to renable the RE partition since our machines have bitlocker enabled.