January 2024 Windows Update
January 2024 Windows 10 Update Failure
Microsoft released it’s January Patch Tuesday updates on 1-9-2024. Many Windows 10 users found that the 2024-01 Security Update KB5034441 failed with error 0x80070643. This appears to affect all versions of Windows 10 and 11. Windows 11 seems to be able to automate the fix due to the recovery partition being sufficiently sized but there are still reports of manual patching being needed.
The reason for this error is due to the recovery partition being at the beginning of the drive, contains a non valid image or the partition doesn’t exist.
This seems to be isolated to Windows 10 and Server 2022 and verified by System Administrators at various social media outlets.
Before we discuss the fix, let’s understand what actually happened here. CVE-2024-20666 resolves an exploit that bypasses BitLocker Encryption and allows users to access encrypted data. The update attempts to install a new version of the Windows Update Recovery Environment (WinRE). Many Windows 10 recovery partitions (if they had them) were 522 MB, which isn’t large enough to support the new Windows RE image (winre.wim) file causing the error listed above.
Microsoft has released a script to automate the fix. There are two different scripts depending on the feature update of Windows 10 and Windows 11 which will need to be run in PowerShell as Administrator. There is also a manual process for resizing the recovery partition. This is the only solution that Microsoft has provided. You will also need to download the specified Safe OS Dynamic Update (Compatibility Update) package from the Windows Update Catalog based on your feature version. When running the script on your system, it mounts the WinRE image, applies an architecture-specific Safe OS Dynamic Update you have to download from the Windows Update Catalog before running the script, unmounts the image, and then reconfigures WinRE for BitLocker service if the BitLocker TPM protector is present.
From what I have seen personally, the recovery partition needs to be a minimum of 772MB but the script can patch the recovery image without resizing the partition in most cases.
Please note that before attempting to perform any of the fixes listed above, you have current backups of your current system should something go wrong.
For assistance deploying or applying this update in your environment, please contact us to get your computers fully patched and protected from the latest vulnerabilities.