{"id":32846,"date":"2024-01-15T00:04:56","date_gmt":"2024-01-14T23:04:56","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=32846"},"modified":"2024-10-01T15:26:01","modified_gmt":"2024-10-01T13:26:01","slug":"microsofts-powershell-script-against-installation-error-0x80070643-for-kb5034441-jan-2024","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/01\/15\/microsofts-powershell-script-against-installation-error-0x80070643-for-kb5034441-jan-2024\/","title":{"rendered":"Microsoft's PowerShell script against installation error 0x80070643 for KB5034441 (Jan. 2024)"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2024\/01\/14\/microsoft-powershell-script-gegen-installationsfehler-0x80070643-bei-kb5034441-jan-2024\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]The security update rolled out on January 9, 2024 via automatic update (e.g. KB5034441) against a BitLocker Security Feature Bypass vulnerability CVE-2024-20666 in the WinRE partition fails on many systems with the installation error 0x80070643. Somehow this is a disaster with an announcement &#8211; and many users are not able to fix this installation error. Last week, Microsoft published PowerShell scripts that are supposed to fix the cause of the installation error 0x800706431. I have summarized some information about this in an addendum.<\/p>\n<p><!--more--><\/p>\n<h2>What is CVE-2024-20666 about?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg06.met.vgwort.de\/na\/5dc394d725794f708f1934f3fcf97a7d\" alt=\"\" width=\"1\" height=\"1\" \/>There is a BitLocker Security Feature Bypass vulnerability <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-20666\" target=\"_blank\" rel=\"noopener\">CVE-2024-20666<\/a> in Windows that allows an attacker with physical access to the system to gain access to BitLocker-encrypted data via the BitLocker Device Encryption feature. Windows 10, Windows 11 and Windows Server 2016, 2019, 2022 are potentially affected.<\/p>\n<p>To eliminate the vulnerability, an update should ensure that the Windows Recovery Environment (WinRE) is updated. Microsoft has published some information on this under KB5034441 and is rolling out a corresponding patch to all devices via Windows Update. In the article on <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-20666\" target=\"_blank\" rel=\"noopener\">CVE-2024-20666<\/a>, Microsoft states that the WinRE environment for Windows 11 22H2 and 23H2 should be updated automatically.<\/p>\n<p>Updates for the Windows Recovery Environment are available for Windows 10 21H2 &#8211; 22H2, Windows 11 21H2 and Windows Server 2022 (including the 23H2 edition), which should automatically apply the latest dynamic Safe OS update from the running Windows operating system to WinRE. Details can be found in the article on <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-20666\" target=\"_blank\" rel=\"noopener\">CVE-2024-20666<\/a>.<\/p>\n<h2>Update throws installation error 0x80070643<\/h2>\n<p>Since January 9, 2024, the automatic installation of the relevant security updates under Windows has failed for many users with the installation error 0x80070643. Corresponding comments can be found here in the blog (see e.g. here), distributed across the blog posts linked at the end of the article. The following causes have crystallized:<\/p>\n<ul>\n<li>The system does not have a recovery partition large enough to complete this update.<\/li>\n<li>There is no WinRE partition available on the system or this partition is not activated with the correct flags.<\/li>\n<\/ul>\n<p>I had given some hints in the blog post <a href=\"https:\/\/borncity.com\/win\/2024\/01\/11\/windows-winre-update-for-bitlocker-bypassing-vulnerability-cve-2024-20666-fails-with-installation-error-0x80070643-jan-2024-kb5034441\/\">Windows WinRE update (for Bitlocker Bypassing vulnerability CVE-2024-20666) fails with installation error 0x80070643 (Jan. 2024, KB5034441)<\/a> on how experienced users can find (and fix) the cause of the error message:<\/p>\n<blockquote><p><em>0x80070643 \u2013 ERROR_INSTALL_FAILURE<\/em><\/p>\n<p>Windows Recovery Environment servicing failed.<br \/>\n(CBS_E_INSUFFICIENT_DISK_SPACE)<\/p><\/blockquote>\n<p>(adjust the size of the WinRE partition and activate it if necessary). The colleagues from German site deskmodder.de also work on this topic in<a href=\"https:\/\/www.deskmodder.de\/blog\/2024\/01\/09\/windows-10-kb5034441-winre-update-als-sicherheitsupdate-kann-fehler-0x80070643-ausloesen\/\" target=\"_blank\" rel=\"noopener\"> this article<\/a> and have improved the instructions from Microsoft in<a href=\"https:\/\/www.deskmodder.de\/blog\/2023\/09\/10\/windows-11-winre-update-mit-fehlermeldung-wegen-zu-kleiner-partition-anleitung-von-microsoft\/\" target=\"_blank\" rel=\"noopener\"> this article<\/a>. In the meantime, Microsoft has also revised the description in the article on <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-20666\" target=\"_blank\" rel=\"noopener\">CVE-2024-20666<\/a> and <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8\" target=\"_blank\" rel=\"noopener\">KB5034441<\/a>.<\/p>\n<p>Some users also report that they are no longer being offered the faulty update. It is still unclear to me whether the update has been withdrawn. Users for whom the update keeps trying to install itself can try to block it in unmanaged environments under Windows 10 \/ 11 using the <a href=\"http:\/\/download.microsoft.com\/download\/F\/2\/2\/F22D5FDB-59CD-4275-8C95-1BE17BF70B21\/wushowhide.diagcab\">Show or Hide Updates<\/a> tool.<\/p>\n<h2>Microsoft's PowerShell scripts should fix it<\/h2>\n<p>Last week, Microsoft then published PowerShell scripts to eliminate the causes of the installation error 0x80070643. A blog reader had pointed this out in <a href=\"https:\/\/www.borncity.com\/blog\/2024\/01\/10\/patchday-windows-10-updates-9-januar-2024\/#comment-169166\" target=\"_blank\" rel=\"noopener\">this German comment<\/a>. I had seen the topic on January 11, 2023 at Bleeping Computer in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes\/\" target=\"_blank\" rel=\"noopener\">this post<\/a> too.<\/p>\n<p>Microsoft now offers two PowerShell scripts in the support article <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10\" target=\"_blank\" rel=\"noopener\">KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666<\/a> to automate the update of the Windows Recovery Environment (WinRE) with regard to CVE-2024-20666. There are two PowerShell scripts::<\/p>\n<ul>\n<li><em>PatchWinREScript_2004plus.ps1<\/em> or Windows 10 version 2004 and later versions, including Windows 11. This variant is recommended.<\/li>\n<li><em>PatchWinREScript_General.ps1 for Windows 10, version 1909 and earlier versions, but can be run on all versions of Windows 10 and Windows 11.<\/em><\/li>\n<\/ul>\n<p>According to Microsoft's description, the PowerShell script then performs the following operations:<\/p>\n<ul>\n<li>Mounts the existing WinRE image (WINRE.WIM)<\/li>\n<li>Updates the WinRE image with the specified package for the dynamic operating system update (compatibility update) available in the Windows Update Catalog.<\/li>\n<li>Deactivates the WinRE image<\/li>\n<li>If BitLocker TPM is active, WinRE is reconfigured for the BitLocker service<\/li>\n<\/ul>\n<p>In the barely documented script code, it can be seen that the WinRE partition is created with the following command:<\/p>\n<pre>Dism \/image:$mountDir \/cleanup-image \/StartComponentCleanup \/ResetBase<\/pre>\n<p>is also cleaned up. The support article KB5034957 also lists parameters that an administrator should specify to execute the PowerShell script in the PS console. A call could look like this:<\/p>\n<pre>.\\PatchWinREScript_2004plus.ps1 -packagePath \"\\\\server\\share\\windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d.cab<\/pre>\n<p>German blog reader Rafael points out in <a href=\"https:\/\/www.borncity.com\/blog\/2024\/01\/11\/windows-winre-update-gegen-cve-2024-20666-scheitert-mit-installationsfehler-0x80070643-jan-2024-kb5034441\/#comment-169206\" target=\"_blank\" rel=\"noopener\">this comment<\/a> that the Safe OS package can be downloaded from the <a href=\"https:\/\/www.catalog.update.microsoft.com\/Search.aspx?q=Safe%20OS\" target=\"_blank\" rel=\"noopener\">Windows Update Catalog<\/a> for the relevant Windows version.<\/p>\n<p>The colleagues from Bleeping Computer also refer in their article to a second approach <a href=\"https:\/\/www.action1.com\/fixing-winre-update-issues-for-cve-2024-20666-and-kb5034441\/\" target=\"_blank\" rel=\"noopener\">Fixing WinRE Update Issues for CVE-2024-20666 and KB5034441<\/a> on the site <em>action1.com<\/em>, where PowerShell scripts are also offered to fix the problem.<\/p>\n<h2>My(eine) 2 Cents<\/h2>\n<p>This approach will not work for normal users as it is simply too complicated. Especially users in the consumer environment, whose systems are not encrypted with Bitlocker anyway, will not be able to do anything with the above approaches. It is absolutely incomprehensible to me that Microsoft is rolling out such an update on the first patch day after Christmas and the turn of the year via Windows Update and causing installation errors for a large number of users.<\/p>\n<p>In my opinion, Microsoft will have to make significant improvements. The approach of forcing users into an administrative prompt windows in order to operate with partitions or PowerShell scripts is simply a bankruptcy declaration from Redmond. Although they are puffing out their cheeks with the possibilities of Copilot, but they don't even manage to provide an update program that reliably eliminates the vulnerability.<\/p>\n<p>What is the status for you, were you able to install the update without errors and if so, how? Incidentally, the update is still not offered on my Windows 10 2019 IoT LTSC.<\/p>\n<p><strong>Similar articles:<\/strong><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/01\/03\/office-update-kb5002500-from-january-2-2023-fixes-onenote-2015-sync-problem\/\">Office update KB5002500 from January 2, 2023 fixes OneNote 2016 sync problem<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/01\/09\/microsoft-security-update-summary-january-9-2024\/\">Microsoft Security Update Summary (January 9, 2024)<\/a><a href=\"https:\/\/borncity.com\/win\/2024\/01\/10\/microsoft-security-update-summary-january-9-2024-2\/\">Patchday: Windows 10 Updates (January 9, 2024)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/01\/10\/patchday-windows-11-server-2022-updates-january-9-2024\/\" target=\"_blank\" rel=\"noopener\">Patchday: Windows 11\/Server 2022 Updates (January 9, 2024)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/01\/11\/windows-7-server-2008-r2-server-2012-r2-updates-january-9-2024\/\">Windows 7\/Server 2008 R2; Server 2012 R2: Updates (January 9, 2024)<\/a><br \/>\n<a href=\"https:\/\/borncity.com\/win\/2024\/01\/11\/windows-winre-update-for-bitlocker-bypassing-vulnerability-cve-2024-20666-fails-with-installation-error-0x80070643-jan-2024-kb5034441\/\">Windows WinRE update (for Bitlocker Bypassing vulnerability CVE-2024-20666) fails with installation error 0x80070643 (Jan. 2024, KB5034441)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]The security update rolled out on January 9, 2024 via automatic update (e.g. KB5034441) against a BitLocker Security Feature Bypass vulnerability CVE-2024-20666 in the WinRE partition fails on many systems with the installation error 0x80070643. Somehow this is a disaster &hellip; <a href=\"https:\/\/borncity.com\/win\/2024\/01\/15\/microsofts-powershell-script-against-installation-error-0x80070643-for-kb5034441-jan-2024\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,580,22,2],"tags":[47,69,195,194],"class_list":["post-32846","post","type-post","status-publish","format-standard","hentry","category-issue","category-security","category-update","category-windows","tag-issue","tag-security","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/32846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=32846"}],"version-history":[{"count":7,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/32846\/revisions"}],"predecessor-version":[{"id":35190,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/32846\/revisions\/35190"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=32846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=32846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=32846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}