Microsoft Clarifies KB5034440 and KB5034441 Update Requirements
Microsoft has recently published detailed requirements outlining the conditions under which Windows 10 and 11 PCs will not be offered the KB5034441 and KB5034440 updates, respectively.
These updates address a critical security vulnerability (CVE-2024-20666) in the Windows Recovery Environment (WinRE) that could allow attackers to bypass BitLocker encryption.
What Are the Conditions for Update Exclusion?
According to Microsoft, the KB5034441 (Windows 10) and KB5034440 (Windows 11) updates will not be offered if the WinRE partition meets any of the following criteria:
- Insufficient free space in the WinRE recovery partition
- Manual update of the WinRE recovery partition using Microsoft’s documented procedure
- WinRE image version greater than or equal to:
- 10.0.19041.3920 for Windows 10
- 10.0.22000.2710 for Windows 11
- Absence of a WinRE recovery partition on the running PC
To check if WinRE is enabled, users can run reagentc /info in an elevated command prompt. If the output shows “Windows RE status” as “Enabled,” the update might be needed.
How Much Free Space Is Required for the Update?
Microsoft notes that the KB5034441 and KB5034440 updates require 250 MB of free space in the recovery partition for successful installation. If the partition lacks sufficient space, users may encounter the “0x80070643 – ERROR_INSTALL_FAILURE” error message.
To resolve this issue or prepare for the update, Microsoft provides instructions for manually resizing the partition or using a sample script to increase the WinRE recovery partition size.
How Can Users Obtain the Update?
If a PC meets the requirements and has sufficient free space in the recovery partition, users can click “Start > Settings > Windows Update > Check for updates” to have the update offered and installed.
What Should Users Do to Verify the Update Installation?
To confirm the successful installation of the KB5034441 or KB5034440 update, users can employ the DISM /Get-Packages command to ensure the Safe OS Dynamic Update package is present on WinRE. For more information, Microsoft recommends referring to their documentation on checking the WinRE image version.
Can the Update Be Removed After Installation?
No, the KB5034441 and KB5034440 updates cannot be removed once applied to a Windows image.
| Update | Applies to | WinRE Version Required |
|---|---|---|
| KB5034441 | Windows 10, version 21H2, 22H2 | >= 10.0.19041.3920 |
| KB5034440 | Windows 11, version 21H2 | >= 10.0.22000.2710 |
Microsoft’s clarification of the update requirements helps users understand whether their PCs need the critical security patches and how to prepare their systems for a smooth installation process.
By following the provided guidance, Windows 10 and 11 users can ensure their devices are protected against the BitLocker bypass vulnerability in WinRE.
