KB5034441: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: January 9, 2024

Microsoft has changed how it updates PCs that run the Windows Recovery Environment (WinRE). WinRE will be updated using the monthly cumulative update. This change only applies to PCs that get updates from Windows Update (WU) and Windows Server Update Services (WSUS). This change starts on June 27, 2023, for the Windows 11, version 22H2 cumulative update.

Some PCs might not have a recovery partition that is large enough to complete this update. Because of this, the update for WinRE might fail. You will receive the error message, “Windows Recovery Environment servicing failed.” To help you recover from this failure, this article provides instructions to manually resize your recovery partition if you get a system ErrorPhase of 2. This requires your device to have the recovery partition after the OS partition. Use the steps below to verify this.

This update automatically applies Safe OS Dynamic Update (KB5034232) to the Windows Recovery Environment (WinRE) on a running PC to address a security vulnerability that could allow attackers to bypass BitLocker encryption by using WinRE. For more information, see CVE-2024-20666.

This update automatically applies Safe OS Dynamic Update (KB5034232) to the Windows Recovery Environment (WinRE) on a running PC to address a security vulnerability that could allow attackers to bypass BitLocker encryption by using WinRE. For more information, see CVE-2024-20666.

This update requires 250 MB of free space in the recovery partition to install successfully. If the recovery partition does not have sufficient free space, this update will fail. In this case, you will receive the following error message:

0x80070643 – ERROR_INSTALL_FAILURE: To avoid this error or recover from this failure, please follow the Instructions to manually resize your partition to install the WinRE update and then try installing this update.

When trying to deploy the security update, users report seeing 0x80070643 errors, saying, “There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643).”

0x80070643 Error Solution 2024 (Security Update KB5034441)

Manually resize your partition by 250 MB

1. Open a Command Prompt window (cmd) as admin.
2. To check the WinRE status, run reagentc /info. If the WinRE is installed, there should be a “Windows RE location” with a path to the WinRE directory. An example is, “Windows RE location: [file://%3f/GLOBALROOT/device/harddisk0/partition4/Recovery/WindowsRE]\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE.” Here, the number after “harddisk” and “partition” is the index of the disk and partition WinRE is on.
3. To disable the WinRE, run reagentc /disable
4. Shrink the OS partition and prepare the disk for a new recovery partition.
   1. To shrink the OS, run diskpart
   2. Run list disk
   3. To select the OS disk, run sel disk<OS disk index>  This should be the same disk index as WinRE. (select recovery one)
   4. To check the partition under the OS disk and find the OS partition, run list part
   5. To select the OS partition, run sel part<OS partition index> (select primary one)
   6. Run shrink desired=250 minimum=250
   7. To select the WinRE partition, run sel part<WinRE partition index>
   8. To delete the WinRE partition, run delete partition override
5. Create a new recovery partition.
   1. First, check if the disk partition style is a GUID Partition Table (GPT) or a Master Boot Record (MBR).  To do that, run list disk. Check if there is an asterisk character (*) in the “Gpt” column.  If there is an asterisk character (*), then the drive is GPT. Otherwise, the drive is MBR.
      1. If your disk is GPT, run create partition primary id=de94bba4-06d1-4d40-a16a-bfd50179d6ac followed by the command gpt attributes =0x8000000000000001
      2. If your disk is MBR, run create partition primary id=27
   2. To format the partition, run format quick fs=ntfs label=”Windows RE tools”
6. To confirm that the WinRE partition is created, run list vol
7. To exit from diskpart, run exit
8. To re-enable WinRE, run reagentc /enable
9. To confirm where WinRE is installed, run reagentc /info

https://support.microsoft.com/en-us/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8

https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf

Solution 2 (Automatic Powershell Script)

Microsoft has developed a sample PowerShell script that can help you automate updating the Windows Recovery Environment (WinRE) on deployed devices to address the security vulnerabilities in CVE-2024-20666.

Sample PowerShell script
The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on supported Windows 10 and Windows 11 devices. Run the script with Administrator credentials in PowerShell on the affected devices. There are two scripts available—which script you should use depends on the version of Windows you are running. Please use the appropriate version for your environment.

PatchWinREScript_2004plus.ps1 / PatchWinREScript_General.ps1

https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10

https://github.com/Action1Corp/ReportDataSources/blob/main/DetectWinREKB5034441.ps1

Video

https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-a-fix-for-windows-10-0x80070643-errors/

https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/

https://www.action1.com/fixing-winre-update-issues-for-cve-2024-20666-and-kb5034441/