[German]Addendum from the January 2024 patchday, where numerous users run into install error 0x80070643 with update KB5034441. This update is intended to fix a vulnerability relating to Bitlocker encryption in the WinRE environment. There are workarounds, but they are too complicated for most users and also administrators supporting thousands of Windows 10/11 clients. However, Microsoft confirmed on January 18, 2024, that they are working on a fix for these issues and intends to deliver it at some point. At the same time, it was announced that Microsoft wants to harden Secure Boot and block insecure boot environments from April 2024. I summarize the status below.
Advertising
WinRE Update KB5034441
There is a BitLocker Security Feature Bypass vulnerability CVE-2024-20666 in Windows that allows an attacker with physical access to the system to gain access to BitLocker-encrypted data via the BitLocker Device Encryption feature. Windows 10, Windows 11 and Windows Server 2 2022 are potentially affected.
To eliminate the vulnerability, Microsoft has provided an update on January 9, 2024, for which some information can be found under the support article KB5034441. The update is intended to ensure that the Windows Recovery Environment (WinRE) is updated. This update automatically applies the dynamic Safe Os update (e.g. KB5034232, KB5034236 etc.) to the Windows Recovery Environment (WinRE) on a running PC.
Update installation error 0x80070643
The update was rolled out automatically via Windows Update, regardless of whether Bitlocker was activated on a machine or not. As a result of the January 2024 patchday, numerous users reported that KB5034441 failed with an installation error 0x80070643. I took up the topic here in the blog post Windows WinRE update (for Bitlocker Bypassing vulnerability CVE-2024-20666) fails with installation error 0x80070643 (Jan. 2024, KB5034441).
Microsoft has already indicated in advance that the installation of the update requires 250 MB of free disk space in the recovery partition in order to be installed successfully. If the recovery partition does not have enough free space, the update will fail during installation with the error 0x80070643 – ERROR_INSTALL_FAILURE.
Unsuitable help from Microsoft
There are instructions from Microsoft in the support article KB5028997: Instructions to manually resize your partition to install the WinRE update on how to manually resize your partition to install the WinRE update. These instructions on the one hand was insufficient or simply unsuitable in various cases (if the WinRE environment is not active or does not exist). On the other hand, these instructions are simply not feasible in many cases.
Advertising
- An administrator in a corporate environment cannot manually change the partition size for thousands of clients.
- A good 99% of the affected Windows users are also likely to be overwhelmed by the task of rectifying the error (adjusting the partition sizes, activating the WinRE partition).
The latter point in particular is a tricky one, as adjusting the partition size requires not only specialist knowledge but often also third-party tools (the Windows on-board tools have many limitations, making it sometimes impossible to increase the size). For administrators, Microsoft has published a PowerShell script for repair (see Microsoft's PowerShell script against installation error 0x80070643 for KB5034441 (Jan. 2024)), but this also requires specialist knowledge and sometimes "a bit of luck" to install the update.
There is also a third-party PowerShell script WinRE-Customization on Github, which is supposed to support partition customization and more.
Microsoft makes improvements
The user comments often read "I'll wait until Microsoft releases a fix". Personally, I was skeptical about this – and those affected had the problem that the update was repeatedly offered for installation and then failed.
Users for whom the update wants to install again and again can try to block it in unmanaged environments under Windows 10 / 11 version using the Microsoft Show or Hide Updates tool. In managed corporate environments, administrators can suspend the distribution of the update. Whether Microsoft has withdrawn the update is currently unclear or unknown to me.
In the meantime, however, Microsoft has probably realized that it has messed up once again. It was basically a disaster with an announcement, as there was a similar disaster in January 2023 (see e.g. Windows 10: Be aware of WinRE WinRE patch to fix Bitlocker bypass vulnerability CVE-2022-41099 and the following article links at the end of the blog post). It's not very smart to roll out such an update in December or January, when many people are on vacation or celebrating the holidays.
In the meantime, however, some media such as Windows Latest or Bleeping Computer are reporting that they heard, that Microsoft is aware of the problems and is working on fixing them. Redmond intends to provide further information "shortly". For the majority of those affected, I think it's a case of waiting and seeing what Redmond comes up with.
I don't consider the Bitlocker bypassing vulnerability to be particularly critical because the attacker needs physical access to the system. In corporate environments, scenarios are conceivable where notebooks with sensitive information are stolen or lost and need to be protected from prying eyes by Bitlocker. If an attacker specifically needs information from a device, there will certainly be other ways to accomplish this.
Announcement in Release Health
Microsoft has published the entry The January 2024 Windows RE update might fail to install in the Known Issue in the Release Health section of Windows 10 22H2 on January 18, 2024. The same applies to Windows Server 2022 (see) and Windows 11 21H2 (see). There will be no entry for Windows 11 22H2 and 23H2 because their WinRE environment has already been patched. The entry contains the above instructions for correcting the installation error.
There is also a list of the affected Windows versions (Windows 10 21H2-22H2, Windows 11 21H2, Windows Server 2022) including the note that the update KB5034441 is not needed for systems without WinRE environment. The installation error could then be ignored – great solution – simply not installing the update in the absence of WinRE was not implemented. The support article in the Known Issues also contains the note "Next steps: We are working on a resolution and will provide an update in an upcoming release."
Secure boot hardening from April 2024!
This will also be bitterly necessary, because I read at Reminder: Changes to Windows Boot Manager revocations for Secure Boot effective April 9, 2024 in the Windows Message Center:
Windows updates released July 11, 2023 and later include security measures which protect against a Secure Boot bypass vulnerability disclosed in CVE-2023-24932. Secure Boot is a Windows security feature designed to protect devices from bootkit malware.
Administrators should observe mitigations and security enforcement requirements coming into effect with Windows updates released on and after April 9, 2024. These updates will provide new mitigations to block additional vulnerable boot managers. Windows updates released on and after October 8, 2024 will enforce the Code Integrity Boot policy and Secure Boot disallow list revocations related to this hardening. There will be no option to disable this enforcement after this update.
To enable protections manually, it's necessary to ensure all devices and bootable media are updated and ready for this security hardening change. Users should determine whether it's important to enable protections now, or wait for a future update from Microsoft. To better assess this, in addition to understanding the options available for configuring these security requirements, see KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.
In a nutshell: Administrators need to be aware of the changed security requirements that will come into effect with Windows updates released on and after April 9, 2024. These updates will enable new protections to block additional vulnerable boot managers. Windows updates released on and after October 8, 2024 will enforce the Code Integrity Boot policy and Secure Boot blacklist revocations related to this hardening. After this update, there will no longer be a way to disable this enforcement. This smells like more trouble.
Similar articles:
Microsoft Security Update Summary (January 9, 2024)
Patchday: Windows 10 Updates (January 9, 2024)
Patchday: Windows 11/Server 2022 Updates (January 9, 2024)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (January 9, 2024)
Windows WinRE update (for Bitlocker Bypassing vulnerability CVE-2024-20666) fails with installation error 0x80070643 (Jan. 2024, KB5034441)
Microsoft's PowerShell script against installation error 0x80070643 for KB5034441 (Jan. 2024)
Windows 10: Be aware of WinRE WinRE patch to fix Bitlocker bypass vulnerability CVE-2022-41099
Windows 10: Update on WinRE patch (fix for Bitlocker bypass vulnerability CVE-2022-41099)
Windows 10/11: Microsoft releases script for WinRE BitLocker bypass fix
I hope that Microsoft does NOT disable Windows 10 systems which have NO secure boot feature. To impose that would be a disaster for the many non-technical users of old Windows 10 systems. I would not surprised if Microsoft was capable of making such a terrible mistake.
Funny but my install error on kb503444 is a direct result of MS Windows 10 deciding how large to make the partition size during the installing the operating system. So it is on them to come up with the fix and quick!
This update breaks our Dells laptops, cant even start dell up into windows
Getting Recovery Bitlocker loop after the update is installed
I have 3 win10 computers and 2 of them have this issue hope for a fix soon, damn ms
It's March already and this issue is in ALL my computers at home and at job…
For when the fix, guys? We will NOT pay for a person to come to fix it when it's literally MS's fault.
Today is 23 March and both computers have same error.
Looks like Microsoft don`t have a sh"it of that!