Microsoft Releases PowerShell Script to Update WinRE and Patch BitLocker Vulnerability

January 11, 2024

Microsoft has introduced a PowerShell script to automate the process of updating the Windows Recovery Environment (WinRE) partition. This move is aimed at addressing a loophole (CVE-2024-20666) which could potentially allow BitLocker encryption to be bypassed. The security problem was initially tackled in the KB5034441 security update, which was released earlier in the week. However, the update was not successfully installed on some Windows 10 systems, leaving them exposed to the BitLocker encryption bypass vulnerability.

Users attempting to deploy the security update have reported encountering 0x80070643 errors, with a message stating, "There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643)." According to Microsoft, this error arises due to insufficient disk space in the WinRE partition, but is incorrectly identified as a generic "0x80070643 - ERROR_INSTALL_FAILURE" error message. This issue occurs when the WinRE image file (winre.wim) deployed during the installation of the KB5034441 security update is too large for the recovery partition.

To mitigate this issue, Microsoft initially suggested users to manually increase the size of the WinRE partition to accommodate the KB5034441 update. However, recognizing the complexity of this task, Microsoft has now provided a dedicated PowerShell script to automate the update of the WinRE partition. The company stated, "The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on supported Windows 10 and Windows 11 devices." The script is to be run with Administrator credentials in PowerShell on the affected devices. The appropriate script to use depends on the version of Windows being run.

The script mounts the WinRE image, applies a Safe OS Dynamic Update specific to the architecture, which needs to be downloaded from the Windows Update Catalog before running the script, unmounts the image, and then reconfigures WinRE for BitLocker service if the BitLocker TPM protector is present. After running the script, it may be necessary to use Microsoft's Show or Hide Tool to prevent Windows Update from repeatedly attempting to install the problematic update and displaying an error. Users choosing to manually resize the WinRE partition are advised to back up their data due to the risk of damage to system partitions. Questions have been raised regarding the update's failure even in the absence of a recovery partition in the base Windows Server 2022 image.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.