Key Points
- KB5034441 addresses BitLocker Encryption bypass vulnerability but fails to install with error code 0x80070643 because of limited space in the Windows Recovery Environment.
- You can create a new WinRE with a greater size through the Command Prompt, after which KB5034441 can be installed successfully.
Alongside the Patch Tuesday updates for January 2024, Microsoft has rolled out a security update specifically for Windows 10 versions 22H2, and select editions of 21H2. This is KB5034441 which can only be installed through Windows Update and Windows Server Update Services (WSUS) – no standalone installers are available.
This security update addresses the CVE-2024-20666 vulnerability, which is a vulnerability that could allow attackers to bypass BitLocker encryption from the Windows Recovery Environment (WinRE). This vulnerability has not been publicly exploited, nor was it publicly disclosed. The chances of exploitation are also very less likely. Nonetheless, prompt action is recommended to patch the bug.
To patch this vulnerability, install KB5034441 on your Windows 10 PC from Windows Update by going to Settings > Update & Security, and then clicking “Check for updates.” KB5034441 should be available; click “Download and install” below it.
After installing the update, start the computer, and your device should be safe from WinRE exploitation.
Fix KB5034441 fails to install with error code 0x80070643
There have been numerous reports that attempting to install KB5034441 has failed with the error code 0x80070643. After attempting to install it myself, I encountered the same error that said the following:
There were some problemsinstalling updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643)
After researching the error code, I concluded that this was a very common Windows Update error with very generic solutions. However, none of the solutions fixed the issue, except one.
Since the update applies to the Windows Recovery Environment, the insufficient partition space of the Recovery Environment causes the error. Increasing the space fixes the issue. Use the following steps to resize the partitions:
Note: Caution and creating a system restore point is advised in case of any permanent damage to the OS or the files.
-
Press the Windows key + R to launch the Run Command box.
-
Type in “cmd” and press CTRL + Shift + Enter to run an elevated Command Prompt.
-
Run the following command to check the WinRE status:
reagentc /info
Check WinRE status -
Note down the numbers after “harddisk” and “partition” in the “Windows RE location” field.
These signify the index numbers of the disk and the partition WinRE is on, respectively.
Note the harddisk and partition indexes of WinRE -
Now run the following command to disable WinRE:
reagentc /disable
Disable Windows Recovery Environment -
Now, to shrink the disk volume and make room for an extended WinRE partition, enter the DiskPart mode with the following command:
DiskPart
Enter the DiskPart mode -
List the disk details with this command:
list disk -
Select the operating system disk using its index number:
Select disk [DiskIndex]
Select the OS disk -
Run this command to list all partition details on the selected disk:
List Part -
Select the OS partition using its index number:
Select Part [OSPartitionIndex]
Select the OS partition -
Now run the following command which frees up 250 MB of space from the primary partition:
shrink desired=250 minimum=250
Shrink primary OS partition from Command Prompt -
Now, use the following command and select the Windows Recovery partition:
Select Part [RecoveryPartitonIndex]
Select the recovery partition -
Delete the recovery partition with this command:
delete partition override
Delete existing Windows recovery partition from Command Prompt -
Now, to create a new, bigger recovery partition, start by checking whether the partition style is MBR or GPT with this command:
list diskCheck if there is an asterisk (*) in the “Gpt” column. If there is an asterisk, then the drive is GPT. Otherwise, the drive is MBR.
Check if partition style is GPT or MBR -
Now run the respective commands depending on your partition style:
-
If GPT:
create partition primary id=de94bba4-06d1-4d40-a16a-bfd50179d6ac gpt attributes =0x8000000000000001 -
If MBR:
create partition primary id=27
Create a new Windows Recovery partition -
-
Now run the following command while replacing [Label] with a volume label of your choice to format the Recovery partition:
Note: I recommend that you use the name “Recovery Partition” so it is easily identifiable in the future.
format quick fs=ntfs label=”[Label]”
Format the partition drive -
Confirm that the WinRE partition is created with this command:
list vol -
Run this command to exit the DiskPart mode:
exit -
No execute this command to re-enable WinRE:
reagentc /enable
Enable Windows Recovery Environment
Once these steps are performed, return to the Windows Update settings page and attempt to reinstall the update KB5034441 by clicking Retry, it should install successfully now.
Ending words
After many people encountered the error of not being able to install such an important update, Microsoft included the solution in the release notes for KB5034441. However, it is an awful lot of steps that are (sort of) mandatory to perform to install the security update.
KB5034441 resolves a critical security vulnerability that should be patched by every Windows 10 user. However, not everyone will take the time to perform these troubleshooting steps to successfully install the update. Microsoft still has a lot of fixing to do so that users can safely use their computers without having to know that their computers are vulnerable to external threats.
18 comments
Anonymous
Hi
I have followed all the instructions and everything was perfect until I tried to install the update and it still gave me an error. I try again and this time I increase the size of the recovery partition to 1.26 GB and it still gives me an error when trying to install the update. I tried it for the third time and this time I increased the partition to 2.24 GB and it still gives me an error when installing the update. Any ideas? Thx
Ever
I have followed the instructions but now I have a drive D: drive with WinRE tools and the RE is pointing to another drive before:
C:\Windows\system32>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:
Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
After:
C:\Windows\system32>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:
Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition3\Recovery\WindowsRE
Now, the Restore is allowed on C: (Partition3) instead of Partition4 …
Please let me know.. what I’ve done wrong…
Subhan Zafar
Hi,
I I understand correctly, you have created a new Windows Recovery Environment on the wrong partition. In steps 7 through 10 above, we selected the disk and the volume that corresponded with the information we got from the “reagentc /info” command.
It seems like you selected the wrong partition and performed the steps remaining steps on it.
If this is true, then your system will currently have 2 Recovery Environments on it. Additionally, you may have accidentally overridden your data.
I suggest that you restore your PC to an earlier state and undo the changes. If your PC does not have a system store point, then you can delete the Recovery Environment you just created and try recovering the lost data using third-party tools. After that, you may perform the steps above again, and this time, correctly select the same partition as the Recovery Environment.
George
Does anyone know of any reports KB5034441 causing their computer from booting? After this failed update, my ASUS computer no longer boots!
Subhan Zafar
Hello,
After researching the internet, it appears that this issue has occurred with several users. It seems that the issue only occurs on relatively older laptops, especially Lenovos. One of the possible solutions for this issue is trying to update your firmware. Please check whether a BIOS update is available for your PC, and install it if it is. Since you can’t boot into the PC, I recommend downloading it from another computer and using the manufacturer-provided instructions to install it.
If that doesn’t work, you can uninstall the troublesome update directly from the Windows Recovery Environment. The following article gives a step-by-step guide on how to uninstall a Windows Update:
https://www.itechtics.com/uninstall-windows-11-update/
Anonymous
Resizing the partition to 1GB does not fix the issue, even after a reinstal, the issue is still present.
Buggy update that needs to be fixed, once more, Micostoft hits the bas strike
Anonymous
it looks like KB5034441 has been pulled from the WSUS channel. The KB lists the update as available only from WU and MU – and no longer from WSUS. Yesterday when I was looking in WSUS, the KB was not present in WSUS – and today the KB article has been updated to say “No” for WSUS channel
Subhan Zafar
Hi,
You are absolutely right – the update has in fact been pulled from WSUS. However, I would like to add that the KB article has also been removed from the Microsoft Update Catalog. Now, KB5034441 is only available through Windows Update.
Seems like Microsoft is regretting rolling out a critical security update.
Walter
When i tried to shrink the partition, it told me that I can’t shrink that partition. I have two other recovery partitions on that drive but they were not the one indicated. Any ideas would be appreciated..
Anonymous
I had the same error when I tried to enable my volume. I looked at the MS article and it has a step omitted here to format the new partition. Check out the KB5028997 article. After I formatted it worked fine.
Subhan Zafar
Hello,
Thank you for your feedback. Although the solution worked fine for some, some were still experiencing issues. The missing step has been added above, thank to your input. Cheers!
Anonymous
I get REAGENTC.EXE: The Windows RE image was not found.
Subhan Zafar
Hi,
this error is usually encountered when the Windows recovery Environment partition has now been enabled properly. It is likely that you missed a step in the process above, or another change is that the respective file required to enable the feature is missing from your PC.
The file you are looking for is the “Winre.WIM” file located in C:\Windows\System32\Recovery.
If this file is missing, you can copy it from a Windows Installation Media or ISO file. This video will provide a complete guide on ho to restore it and re-enable WinRE:
https://www.youtube.com/watch?v=DJt7TNcN7iQ
Alan F
Thanks for the info about the recovery volume.
Growing my 575MB recovery volume to 1024MB was either not enough or too much on my PC to allow the offending Windows update to work. Moving up to 2048 MB (2GiB) resulted in the Windows update working correctly on the next attempt. Most examples I had found showed a recovery volume of about 250 to 500 MB, and I had no idea how big it was allowed to be. I still don’t, but at least 2GiB seems to be ok. It’s such a tiny part of modern drives.
However, it seems that I’ve now lost the ability to rename the recovery volume. Maybe that ability that was part of the vulnerability that necessitated this Windows update.
Subhan Zafar
Hello Alan,
I appreciate your input.
The Windows Recovery Environment partition size of 500-700 MB ought to be sufficient. Even while performing the steps above, increasing its size only by 250MB worked for me. However, in your case, we cannot be sure how a whopping 2 GB was needed for this task.
As for the maximum partition size; there is no definite limit. I guess you can increase it to what the formatting style allows.
With regards to renaming the partition; you can rename the volume during the formatting process with the command: format quick fs=ntfs label=”[Label]”. Once WinRE is enabled, you can no longer rename this partition.
Anonymous
I get this error “REAGENTC.EXE: Windows RE cannot be enabled on a volume with BitLocker Drive Encryption enabled.” Running this last step. (reagentc /enable)
Subhan Zafar
Hi,
This error occurs when BitLocker encryption is enabled on your boot (C) drive. To bypass this error, I recommend that you disable BitLocker on the boot drive and then perform all of the steps above. This should surely work.
However, in case there is no space on the primary disk for a Recovery partition, then you can shrink the boot drive, create a new Recovery partition (which will not be BitLocker-encrypted), and then enable WinRE. For these steps, you can follow this video tutorial:
https://www.youtube.com/watch?v=9uraEsTYUU4
Anonymous
jfc what a pain this is going to be