[andy_c]

This one is to fix a security vulnerability associated with the recovery partition.  Many people are experiencing a failure of this update, because it puts more data into the recovery partition, which can cause the needed space to exceed its fixed partition size.  See this thread for more info.

I had this failure and didn't even notice it, as I use WuMgr, and it doesn't put up a prominent error message.

One user had to enlarge his recovery partition to 1 GB to get it to work, so I followed the MS directions to do so.

This enlarged the recovery partition okay, but I may have skipped step 3, which caused me to lose the recovery files.  The recovery partition was big enough, but it was non-working because of the missing recovery files.

If this happens, one has to go through a big rigaramarole to fix it.  This involves getting a file called winre.wim from a Windows install ISO, putting it into the
C:\Windows\System32\Recovery folder, and deleting all other files except winre.wim from that folder.  Then from an Admin mode command prompt in that folder, you run:

reagentc /disable
Then
reagentc /enable

The procedure for getting the winre.wim file from the Windows ISO can be found here.  I had to do it with the install.esd file (as they mention at the beginning of the article), as there was no install.wim in my ISO file.

I finally got it working, but the whole thing was pretty much of a clusterfark, so I thought I'd warn everyone.

[FullRangeMan]

I uninstall all this garbage that MS puts on my PC.

[WGH]

Glad you got it all working again.

Everyone knows Patch Tuesday is preceded by Image Monday using one of the free disk imaging programs like Paragon Backup and Recovery Community Edition
https://www.paragon-software.com/us/free/br-free/#

No more clusterfarks.


I've programed in Fortran IV, CP/M and MS DOS and learned computers are very literal, no skipping steps allowed. I've tried and it never ends well. But some days it is harder to stay focused than others.


Why do you use WuMgr?

[andy_c]

Glad you got it all working again.

Everyone knows Patch Tuesday is preceded by Image Monday using one of the free disk imaging programs like Paragon Backup and Recovery Community Edition
https://www.paragon-software.com/us/free/br-free/#

No more clusterfarks.

Yes, I use Macrium Reflect Free, but unfortunately it's no longer supported by them.  It still works fine, but I need to decide what I'm going to replace it with.

I've programed in Fortran IV, CP/M and MS DOS and learned computers are very literal, no skipping steps allowed. I've tried and it never ends well. But some days it is harder to stay focused than others.

Same here.  There's some audio-related software I wrote, at my site link.

In my case, skipping the step wasn't intentional.  I was going back and forth looking at the command line and the MS web page, and ended up skipping a line of the instructions.

After writing the post above, I found the update failed on my HTPC too.  I carefully followed the MS instructions for making a bigger recovery partition and it all worked fine.

Why do you use WuMgr?

I just like having the control it offers.  On the "Auto Update" tab, I choose the "Disable Automatic Updates" option.  So it only updates when I ask it to.  It's done by clicking the oddly-named "Search" button, which gives you a checked list of available updates.  You choose the ones you want, then click the install button.  It's like the Windows 7 update used to be, except that it always works.  I'm really happy with it.

[WGH]

We are dinosaurs, soon to be extinct. Growing up with DOS and early versions of Windows we can't help but to fiddle with the settings, surely after all these years we have to know more than Microsoft engineers, most weren't born yet when we started noodling. I no longer go into the registry to fine tune the swap file or anything else. Windows 11 turns a computer into an appliance.

I just updated my 2008 Toshiba Satellite M305D that has the AMD Turion-X2 extra slow processor to the latest Windows 10 update - KB5034122. BitLocker is not enabled so KB5034441 has not shown up (yet). The Recovery Partition has stayed the same exact size.

KB5034122 does include Windows 10 servicing stack update and something to do with BitLocker (again).
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.

If the servicing stack is not updated then the reliability of future Microsoft updates could be affected. I suppose if all future Microsoft updates are declined or uninstalled then it is a moot point.
Uninstalling Security Updates in an 8-1/2 year old operating system is another can of worms entirely.

[andy_c]

KB5034122 does include Windows 10 servicing stack update and something to do with BitLocker (again).
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.

If the servicing stack is not updated then the reliability of future Microsoft updates could be affected. I suppose if all future Microsoft updates are declined or uninstalled then it is a moot point.

Yeah.  I hope people didn't interpret the thread title as meaning that one should ignore the update entirely, forever.  I just wanted to point out that lots of people experienced the failure to install due to the recovery partition not being big enough.  Two out of three of my machines failed the update.

Also, Microsoft's fix for this problem is not appropriate for the average user.  To expect users to mess around with diskpart in an admin mode console, especially when there's partition formatting involved, invites chaos.  If the wrong partition is selected, the user could end up blowing away their C: drive.  Not good.

[WGH]

Yeah.  I hope people didn't interpret the thread title as meaning that one should ignore the update entirely, forever.

Actually, for 99.9% of users, ignoring the error forever is a great idea, if I get the error I will. My cousin and friends get errors all the time when their computers start, they shrug, ignore it and keep on playing.



What the failed patch is supposed to fix:
A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

I don't use BitLocker but if I did then the attacker would have to break into my house with the right tools and the hacking knowledge to access my storage system and steal something of value to them, although I don't have anything of value in my computer, old business proposals, recipes and photos mostly. I would never keep my private Bitcoin key in a text file in a computer, the key would be written on a yellow sticky tab in a desk drawer.


The existential question that should be considered while sipping a whiskey is why the need to immediately fix the BitLocker flaw? You may have a good reason but I'll bet this flaw has been known about for a long time. This isn't a zero day patch, Microsoft says if it doesn't work we'll try again later, move on, nothing to see here. A failed patch usually means something: DON'T DO IT.




Extra credit reading: Microsoft has released a PowerShell script to automate updating the Windows Recovery Environment (WinRE) partition in order to fix CVE-2024-20666, a vulnerability that allowed for BitLocker encryption bypass.
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/

Extra credit podcast: Exit Scam: The Death and Afterlife of Gerald Cotten
In 2018, Gerald Cotten, the founder of Canada's biggest Bitcoin exchange, died under mysterious circumstances during a honeymoon trip to India. His customers were told that the $215 million they'd deposited on the exchange was lost forever — because Gerry had forgotten to leave behind his passwords. But here's the thing: Not everyone believes he's dead. Exit Scam is a miniseries about what really happened to Gerald Cotten and the fortune that disappeared with him.
https://www.audacy.com/podcasts/exit-scam-the-death-and-afterlife-of-gerald-cotten-57657

[andy_c]

Extra credit reading: Microsoft has released a PowerShell script to automate updating the Windows Recovery Environment (WinRE) partition in order to fix CVE-2024-20666, a vulnerability that allowed for BitLocker encryption bypass.
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/

That's an interesting read.  Good to know there's an easier fix.

As mentioned, I enlarged my recovery partition to 1000 MB.  I can't remember the exact previous size, but I do remember it was just shy of 600 MB.  Just for grins, I looked at my partition data in Macrium Reflect.  The recovery partition is 1000 MB in size, and has 476.7 MB of data on it.  So there's less data on it than its previous size!

[WGH]

The free edition of the Ask Woody tech newsletter has an easy to understand in depth breakdown of KB5034441 Windows 10 update.
Susan Bradley, tech guru and patch expert says "Don't patch"

KB5034441 has led us astray, in a horrible way
https://www.askwoody.com/newsletter/free-edition-kb5034441-has-led-us-astray-in-a-horrible-way/


"To further reinforce my advice not to resize yet, I used a free partition tool on one of my impacted computers. After it ran, the recovery partition was no longer recognized. I fixed that by extracting WinRE.wim from a Windows 10 ISO, then forcing the system to repair itself with a fairly complex process. I’m not going to describe it because I don’t recommend you try it, but it illustrates the danger associated with the problem."

"If you do plan to roll out this update, remember that for Windows 10, the WinRE fix is separate, whereas in Windows 11 it is included in the cumulative update. While I’ve not seen issues with Windows 11, I have seen issues with Windows 10. For IT pros, I can recommend a PowerShell script named WinRE-Customization by Martin Himken to assist you in rolling it out."

"I am not comfortable advising you to resize your partitions. If you click on the wrong thing, you could accidentally delete your entire working hard drive. So I’m still going to strongly recommend that if you are not comfortable with resizing your partitions or using a partition tool to help, skip this update on your Windows 10 PCs. Fortunately, it’s a separate patch — you can use the BlockAPatch tools to hide the update."


The newsletter article has a lot more info about the patch. A good read.

[andy_c]

The newsletter article has a lot more info about the patch. A good read.

It was a good read!

I did some more experiments just for the heck of it.  I tried to shrink the recovery partition back down, to maximize space on the C: drive.  The amount of data taken up on the recovery partition after the update was about 473 MB, way less than the 1000 MB I allocated.  I tried the MiniTool Partition Wizard free version for that.  This was recommended over in tenforums.  After the successful resize of the partition, I ran this from an admin command line:

reagentc /info

only to find that the "Windows RE status" was in the "disabled" state, indicating a non-working recovery environment.  Usually, what fixes that is to do a

reagentc /enable

It that doesn't work, you're usually screwed and have to restore the winre.wim.  The reagentc /enable command didn't restore the recovery environment.  Then I remembered that a user on tenforums said they had the same problem.  They rebooted, and afterwards the Windows RE status came back as enabled after checking it again with reagentc /info.  So I tried this as a "hail Mary" play.  Sure enough, after rebooting I ran reagentc /info, and it showed the Windows RE status was in the "enabled" state as it should be.  MiniTool Partition Wizard didn't notify me of the need to reboot before or after the recovery partition resize.

I noticed that the article author was also using MiniTool Partition Wizard.  The quote below is interesting.

"To further reinforce my advice not to resize yet, I used a free partition tool on one of my impacted computers. After it ran, the recovery partition was no longer recognized. I fixed that by extracting WinRE.wim from a Windows 10 ISO, then forcing the system to repair itself with a fairly complex process. I’m not going to describe it because I don’t recommend you try it, but it illustrates the danger associated with the problem."

She did not say which of the free partition tools she used, but if it was the MiniTool Partition Wizard she mentioned earlier in the article, it's possible that a reboot as described above might have fixed it.

All this is completely nuts of course.  I just get curious at times, and try to learn some things that might save me in a tricky situation in the future.  When I did an upgrade of my 500 GB SATA SSD to a 1 TB M.2 SSD, it took me a couple of days to get everything straightened out.  The SATA SSD had a weird partition structure that didn't conform to the MS recommendations.  Among other problems, I lost the recovery environment in the process of getting the partitions to match what MS recommends.  That was when I first found out about the winre.wim madness.

I also found out that the MS disk management tool shows one less than the actual number of partitions on a drive.  It fails to show the partition of type "MSR" referenced in the linked MS article.  It also fails to show the actual amount of data taken up on the recovery partition.  You get no results when checking its properties.