Hey checkyourlogs fans,

Earlier this month, it was reported that Windows Server 2022 Security Update KB5034439 was failing. This update was part of patch Tuesday and a fix for a BitLocker encryption bypass that allows users to access encrypted data CVE-2024-20666. If there are issues with the Windows RE partition and deployment, the update won’t be installed. Here is the write-up on this from bleeping computer – Windows 10 KB5034441 security update fails with 0x80070643 errors (bleepingcomputer.com).

I found that on many of our servers, the WinRE partition was never configured at all.

You can check this by running reagentc /info

If your system is configured with the Windows RE status = Disabled this update will fail.

It is likely your Windows update pass will look something like this:

Microsoft has released a PowerShell script to fix this but I found it was just easier to fix the Win RE issues before rolling updates.

Here are the steps I followed to fix this based on Cary Sun’s blog How to Fix Veeam Collecting recovery media files Details: Windows recovery image file not found | CheckYourLogs.Net

Step .5 – Mount the Server 2022 ISO

Step 1 – Run from an Admin PowerShell Prompt – reagentc /info – If it shows disabled, then proceed with the fix. If not, you have other issues.

Step 2 – In my case I copied the Install.wim from f:\sources\ to a working directory then ran the following:

DISM /Mount-image /imagefile:c:\post-install\091-kb5034439\install.wim /Index:1 /MountDir:C:\temp /readonly /optimize

Step 3 – Copy the Recovery folder from the mounted WIM to c:\windows\system32\recovery

robocopy /MIR C:\temp\Windows\System32\Recovery\ C:\Windows\System32\Recovery

Step 4 – Unmount the WIM

Dism /Unmount-image /MountDir:C:\temp /discard

Step 5 – Enable the WinRe Partition

Reagentc /enable

Step 6 – Verify the new WinRE Partition

Reagentc /info

Roll your windows updates and viola KB5034439 is successfully installed.

Hope you enjoy the post,