Microsoft is working to fix a known issue causing 0x80070643 errors when installing the KB5034441 security update that patches the CVE-2024-20666 BitLocker vulnerability.
While the security issue was resolved during this month’s Patch Tuesday, deploying KB5034441 on systems with a Windows Recovery Environment (WinRE) partition that’s too small will fail and mistakenly show generic ‘0x80070643 – ERROR_INSTALL_FAILURE’ error messages instead of the correct CBS_E_INSUFFICIENT_DISK_SPACE error.
As a workaround, until a fix is available, the company provides customers with affected systems detailed—and quite complex—instructions on how to resize their WinRE partitions on its support website.
If creating a new WinRE partition large enough to complete this update fails, you can run reagentc /enable to re-enable the partition.
“Devices attempting to install the January 2024 Windows Recovery Environment update (KB5034441) might display an error related to the size of the Recovery Environment’s partition. We are working on a resolution and will provide an update in an upcoming release,” Microsoft says in an update to the Windows release health dashboard.
“It might be necessary to increase the size of the WinRE partition in order to avoid this issue and complete the installation. Note that 250 megabytes of free space is required in the recovery partition.”
Script to update WinRE with BitLocker fixes
Microsoft has also released a PowerShell script that helps automate updating the WinRE partition to fix the CVE-2024-20666 flaw that allows for BitLocker encryption bypass.
The script addresses the known issue causing KB5034441 install failures on Windows 10 systems, leaving the devices vulnerable to attacks exploiting the BitLocker flaw that provides threat actors access to encrypted data.
When executed, it mounts the WinRE image, applies an architecture-specific Safe OS Dynamic Update you have to first download from the Windows Update Catalog, unmounts the image, and then reconfigures WinRE for BitLocker service if the BitLocker TPM protector is present.
After running the script, you should also use Microsoft’s Show or Hide Tool to hide the KB5034441 update to prevent Windows Update from repeatedly trying to install the faulty update and displaying 0x80070643 errors.
After running the script, you may also have to use Microsoft’s Show or Hide Tool to hide the KB5034441 update, so Windows Update won’t try installing the buggy update and displaying an 0x80070643 error.
If you decide to resize the WinRE partition manually, it’s highly recommended that you back up your data, given that there’s always a chance that your system’s partitions may be damaged during the process.