Windows 10 users worldwide report problems installing Microsoft’s January Patch Tuesday updates, getting 0x80070643 errors when attempting to install the KB5034441 security update for BitLocker.
Yesterday, as part of Microsoft’s January 2024 Patch Tuesday, a security update (KB5034441) was released for CVE-2024-20666, a BitLocker encryption bypass that allows users to access encrypted data.
However, when attempting to install this update, Windows 10 users are reporting getting 0x80070643 errors and the installation failing.
On reboot, users will be greeted with a Windows Update screen stating that an error occurred and to try again later.
“There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643),” reads the Windows Update error.
In a support bulletin also published yesterday, Microsoft warns that when installing the KB5034441, users are supposed to see the “Windows Recovery Environment servicing failed, (CBS_E_INSUFFICIENT_DISK_SPACE)” error when the Windows Recovery Partition is not large enough to support the update.
However, a coding error causes the Windows Update to mistakenly display the generic “0x80070643 – ERROR_INSTALL_FAILURE” error message instead.
WinRE partition too small
When installing the KB5034441 security update, Microsoft is installing a new version of the Windows Recovery Environment (WinRE) that fixes the BitLocker vulnerability.
Unfortunately, Windows 10 creates a recovery partition, usually around 500 MB, which is not large enough to support the new Windows RE image (winre.wim) file, causing the 0x80070643 error when attempting to install the update.
In a test by BleepingComputer this morning, a brand new install of Windows 10 using the latest ISO from Microsoft created a 522MB WinRE partition. However, even this new install has a partition that is too small, causing the KB5034441 security update not to install and display a 0x80070643 error.
The only solution Microsoft has offered at this point is to create a larger Windows Recovery Partition so there is enough room for the security update to install.
As the Windows Recovery Partition is created on the same disk as the C: partition, you must shrink the C: partition by 250 MBs and use that newly unallocated space to create a bigger Recovery Partition.
Microsoft had previously shared a support bulletin describing how to shrink the C: partition by 250 MB and create a new Recovery Partition using the reagentc.exe and dispart.exe command line utilities to accommodate WinRE security updates.
Reagentc.exe is a command line tool for managing the Windows Recovery Environment, and diskpart.exe is a command line tool to manage the device’s disk partition and volumes.
However, if you are not comfortable using command line programs, we strongly suggest you hold off on performing these steps as the vulnerability requires physical access to your device, minimizing its impact.
Instead, you should wait for a solution from Microsoft, which may offer an automated way to recreate a larger Windows Recovery partition.
Furthermore, there is always the risk of damaging partitions when shrinking and expanding them, so it is strongly advised that you back up your data before proceeding.
Below is the solution provided by Microsoft:
-
Open a Command Prompt window (cmd) as admin. BleepingComputer has an article explaining how to open a command prompt as admin.
-
To check the WinRE status, run reagentc /info. If the WinRE is installed, there should be a “Windows RE location” with a path to the WinRE directory. An example is, “Windows RE location: [file://%3f/GLOBALROOT/device/harddisk0/partition4/Recovery/WindowsRE]\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE.” Here, the number after “harddisk” and “partition” is the index of the disk and partition WinRE is on.
-
To disable the WinRE, run reagentc /disable
-
Shrink the OS partition and prepare the disk for a new recovery partition.
-
To shrink the OS, run diskpart
-
Run list disk
-
To select the OS disk, run sel disk<OS disk index> This should be the same disk index as WinRE.
-
To check the partition under the OS disk and find the OS partition, run list part
-
To select the OS partition, run sel part<OS partition index>
-
Run shrink desired=250 minimum=250
-
To select the WinRE partition, run sel part<WinRE partition index>
-
To delete the WinRE partition, run delete partition override
-
-
Create a new recovery partition.
-
First, check if the disk partition style is a GUID Partition Table (GPT) or a Master Boot Record (MBR). To do that, run list disk. Check if there is an asterisk character (*) in the “Gpt” column. If there is an asterisk character (*), then the drive is GPT. Otherwise, the drive is MBR.
-
If your disk is GPT, run create partition primary id=de94bba4-06d1-4d40-a16a-bfd50179d6ac followed by the command gpt attributes =0x8000000000000001
-
If your disk is MBR, run create partition primary id=27
-
-
To format the partition, run format quick fs=ntfs label=”Windows RE tools”
-
-
To confirm that the WinRE partition is created, run list vol
-
To exit from diskpart, run exit
-
To re-enable WinRE, run reagentc /enable
-
To confirm where WinRE is installed, run reagentc /info
After completing these steps, reboot Windows and check for updates in Windows Update to try and install the KB5034441 security update again.
Unfortunately, BleepingComputer has been told by a Windows 10 user that this update failed on their device even with a Windows RE partition that is 1 GB in size. Therefore, there is no guarantee these steps will resolve the issue.
As previously said, if you are uncomfortable performing these steps, you should wait to see if Microsoft offers an easier, automated solution in the future that allows the update to install.