-
We are now the beta testers. Here’s why: Microsoft changed testing processes significantly in the past few years. Back in 2014/2015, Microsoft employed an entire team that was dedicated to testing the operating system, builds, updates, drivers, and other code. The team consisted of multiple groups that would run tests and discuss bugs and issues in daily meetings. The teams ran the tests on “real” hardware in a lab through automated testing.
Microsoft has since laid off almost the entire Windows Test team. The company moved most of the testing to virtual machines and this meant that tests were no longer conducted on real and diverse hardware configurations. The main sources of testing data comes from Windows Telemetry and Windows Insiders. We are all beta testers now and the bugs in Windows Updates have reached unacceptable levels (printing problems, boot loops, and other issues as reported in the media). An update that causes business disruption and loss of revenue is nearly as bad as malware.
Also, Win11 represents a trend of a “dumbing down” of society, as options and settings are eliminated or concealed behind a facade one-click operations, with big buttons, short menus and a “one size fits all” mentality, both in Windows and in a vast array of other applications by many other companies. Some say this is due to Gen Z, many of whom they claim are easily confused and distracted with short attention spans.
7 users thanked author for this post.
-
This vulnerability does not apply if you use Bitlocker and are setup with a Pre-Boot PIN. In other words, it will prevent this exploit. That means the Windows Update KB5034441 becomes irrelevant.
You should have your laptop Bitlocker setup so that you must type in a PIN before it will boot. This is the best and safest way to use Bitlocker. If you’re experienced and use Bitlocker, here is how to add a Pre-boot PIN:
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/CRITICAL: You must keep a copy of your Recovery Key. This is mandatory!! if you don’t, you risk losing everything on your drive permanently. How to Backup and Save Your Recovery Key:
https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0dIf you still want to fix the Recovery Partition, this is the safest and easiest method for those experienced with resizing partitions.
Just use the Macrorit Partition Expert Free Portable to resize the partition. MUCH easier and safer than any other method. Note: In order to resize the partition with Macrorit free, you’ll need to turn off Bitlocker and decrypt and when you’re done re-encrypt. I suggest a partition size of 2048 MB. The update itself needs at least 250 MB of free space on the recovery partition. But I recommend 1024 MB.Note: Always have backup image of your drive just in case. If you use Macrorit, you need to resize the partition to the left first to make room and then the recovery partition. You can also use any reputable partition manager – some with less steps than others. When you’re done, the Windows update will install properly.
Important: When you re-encrypt, you’ll have new Recovery Key to Backup.
See: https://www.diskpart.com/articles/how-to-resize-recovery-partition-windows-10-0725.html -
-
Microsoft confirmes Windows 11 KB5034765 fails to install with error code 0x800F0922
1 user thanked author for this post.
-
My latest observations with client workstations with update KB5034441:
- Sometimes succeeds even though the recovery partition has less than 250MB free.
- Sometimes fails even though the recovery partition has more than 250MB free.
- It is NOT being offered to all Windows 10 machines, especially domain joined.
If you’re confused on what to do, see my post here (most people should do nothing):
https://www.askwoody.com/forums/topic/kb5034441-has-led-us-astray-in-a-horrible-way/#post-2629980 -
-
There should be no confusion. Do NOTHING. If the update fails it’s no big deal. Microsoft will fix it next month. Let it be already. Millions of users will have the same update fail. It will be resolved with a future automatic update.
If you have a laptop with Bitlocker and you’re concerned about the vulnerability and can’t wait 30 days, see my comment here:
https://www.askwoody.com/forums/topic/kb5034441-has-led-us-astray-in-a-horrible-way/#post-26299801 user thanked author for this post.
-
My Recommend Options:
Option 1. Wait. Microsoft said they will fix the issue – probably next month.
Option 2. Apply the Microsoft Patch that fixes the vulnerability (this is NOT resizing the partition): https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10
Option 3. If you have Bitlocker on your laptop or other mobile device, you should have your Bitlocker setup so that you must type in a PIN before it will boot. This is the best and safest way to use Bitlocker. This vulnerability does not apply if you are setup with a Pre-Boot PIN. In other words, it will prevent this exploit.
If TPM+PIN BitLocker protectors are being used, can the vulnerability be exploited if the attacker does not know the TPM PIN?
No. To exploit the vulnerability the attacker needs to know the TPM PIN if the user is protected by the BitLocker TPM+PIN. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666Here is how to add a Pre-boot PIN: https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/
Critical: You must keep a copy of your Recovery Key. This is mandatory!! if you don’t, you risk losing everything on your drive permanently. https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0d
2 users thanked author for this post.
-
-
Just like I said:
Microsoft working on a fix for Windows 10 Bitlocker Issue
1 user thanked author for this post.
-
-
-
No. The new PatchWinREScript_2004plus.ps1 script appears to patch the WinRE image to mitigate the vulnerability in the existing partition without resizing it just fine… I’m sure MS will find a way to fix the issue automatically by next month.
I do NOT recommend using this because you shouldn’t even be installing Windows Quality Updates Yet as AskWoody is at MS-DEFCON 1 – Do not Install. This will be worked out by Microsoft by next month without user intervention. Let it be. Anyway, here is info for those interested:
Microsoft shares script to update Windows 10 WinRE with BitLocker fixes
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/I think you are naive if you think Microsoft can just fix this. If the problem is that a partition is too big for a new winre.wim file (which seems to be the problem,) they very likely can’t just make the file smaller again. Their only other choice is to start re-sizing partitions (not just the recovery one) while installing a replacement update. I, for one, do not trust Microsoft not to screw this up while doing it silently behind the scenes during another update!
1 user thanked author for this post.
-
I do NOT recommend using this because you shouldn’t even be installing Windows Quality Updates Yet as AskWoody is at MS-DEFCON 1 – Do not Install. This will be worked out by Microsoft by next month without user intervention. Let it be. Anyway, here is info for those interested:
Microsoft shares script to update Windows 10 WinRE with BitLocker fixes
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/1 user thanked author for this post.
-
You should have your laptop Bitlocker setup so that you must type in a PIN before it will boot. This is the best and safest way to use Bitlocker. This vulnerability does not apply if you are setup with a Pre-Boot PIN. In other words, it will prevent this exploit.
If TPM+PIN BitLocker protectors are being used, can the vulnerability be exploited if the attacker does not know the TPM PIN?
No. To exploit the vulnerability the attacker needs to know the TPM PIN if the user is protected by the BitLocker TPM+PIN.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666Here is how to add a Pre-boot PIN:
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/Critical: You must keep a copy of your Recovery Key. This is mandatory!! if you don’t, you risk losing everything on your drive permanently.
https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0d
Author
