Hey checkyourlogs fans,
Earlier this month, it was reported that Windows Server 2022 Security Update KB5034439 was failing. This update was part of patch Tuesday and a fix for a BitLocker encryption bypass that allows users to access encrypted data CVE-2024-20666. If there are issues with the Windows RE partition and deployment, the update won’t be installed. Here is the write-up on this from bleeping computer – Windows 10 KB5034441 security update fails with 0x80070643 errors (bleepingcomputer.com).
I found that on many of our servers, the WinRE partition was never configured at all.
You can check this by running reagentc /info
If your system is configured with the Windows RE status = Disabled this update will fail.
It is likely your Windows update pass will look something like this:
Microsoft has released a PowerShell script to fix this but I found it was just easier to fix the Win RE issues before rolling updates.
Here are the steps I followed to fix this based on Cary Sun’s blog How to Fix Veeam Collecting recovery media files Details: Windows recovery image file not found | CheckYourLogs.Net
Step .5 – Mount the Server 2022 ISO
Step 1 – Run from an Admin PowerShell Prompt – reagentc /info – If it shows disabled, then proceed with the fix. If not, you have other issues.
Step 2 – In my case I copied the Install.wim from f:\sources\ to a working directory then ran the following:
DISM /Mount-image /imagefile:c:\post-install\091-kb5034439\install.wim /Index:1 /MountDir:C:\temp /readonly /optimize
Step 3 – Copy the Recovery folder from the mounted WIM to c:\windows\system32\recovery
robocopy /MIR C:\temp\Windows\System32\Recovery\ C:\Windows\System32\Recovery
Step 4 – Unmount the WIM
Dism /Unmount-image /MountDir:C:\temp /discard
Step 5 – Enable the WinRe Partition
Step 6 – Verify the new WinRE Partition
Roll your windows updates and viola KB5034439 is successfully installed.
Hope you enjoy the post,