Windows 10 users are experiencing a cryptic error preventing the installation of a recent security update. While waiting for the publication of an official patch, Microsoft offers a solution to force the installation of the patch.
The first update of the year for Windows 10 and 11 arrived this Tuesday, with Patch Tuesday for January 2024. Without making major changes to the operating system, this delivery focuses on correcting bugs and vulnerabilities. security. Unfortunately, one of the components of the patch, security update KB5034441, encountered a problem and many Windows 10 version 22H2 users found themselves unable to install it.
To make matters worse, the Windows Update update management utility only returns a cryptic error code when the installation fails, which is of little use in understanding the origin of the problem. Fortunately, following numerous feedback from users, Microsoft was able to identify the malfunction and even published a series of instructions, complete and in French, to work around the problem and allow the installation of the security update.
However, the procedure to follow turns out to be complex and requires a series of command lines not necessarily accessible to everyone. Furthermore, according to initial feedback from certain users, the workaround method proposed by Microsoft does not seem to work systematically, with the update continuing to refuse to install even after application.
What does error code 0x80070643 mean when updating KB5034441?
Patch Tuesday for Windows, released this Tuesday, January 9, 2024, brings a whole series of bug fixes and security vulnerabilities. In the bundle, security update numbered KB5034441 addresses a vulnerability identified by CVE-2024-20666which allowed an attacker to bypass Windows’ BitLocker encryption function and gain unencrypted access to encrypted data on the computer’s storage device.
Unfortunately, on PCs equipped with Windows 10, installing update KB5034441 returns an error message that is obscure to say the least and unlikely to help users experiencing the problem.
In help note dedicated to this problem, Microsoft says that Windows Update Manager should normally return a more explicit error message, stating “Windows Recovery Environment servicing failed. (CBS_E_INSUFFICIENT_DISK_SPACE).” However, another problem affecting the Windows Update error code handling routine results in incorrect recognition of the incident and the display of the famous code “0x80070643 – ERROR_INSTALL_FAILURE”.
Once this first enigma has been resolved, what do the normally expected error message and Microsoft’s note tell us? To fix the vulnerability affecting BitLocker, update KB5034441 must create a new version of Windows Recovery Environment (WinRE), on the Windows recovery partition. This partition is a storage space reserved on the computer’s hard drive or SSD during installation of the operating system, and which is used during repair or restoration operations in the event of a problem.
However, the recovery partition automatically created by Windows 10 during its installation is of insufficient size to accept the new version of Windows Recovery Environment (WinRE), hence the error message “Windows Recovery Environment servicing failed. ( CBS_E_INSUFFICIENT_DISK_SPACE)” which should normally be displayed instead of the code 0x80070643, and which clearly indicates a storage space problem.
As an example, on a computer with Windows 10 22H2 installed, we find a recovery partition with a volume of 549 MB, which therefore seems insufficient to accommodate the new version of WinRE.
To remedy the problem, it would therefore be enough to increase the size of the recovery partition, but this operation is not that simple. Unlike other storage partitions, which can be resized via the Windows Disk Management tool, the recovery partition is created during the installation of the operating system, and one must turn to command line tools to manipulate it.
To allow Windows 10 users to install update KB5034441, Microsoft therefore suggests manually resizing the recovery partition. You will find detailed instructions in French on this page.
However, before embarking on this somewhat complex and risky operation, it is necessary to assess its relevance and appropriateness. Indeed, the vulnerability affecting BitLocker, as worrying as it may be, is ultimately limited in scope. To exploit it, an attacker must have physical access to the targeted computer, a fairly specific scenario which concerns corporate computers containing sensitive data more than individual PCs. Furthermore, a patch allowing easy and automatic installation of update KB5034441 will surely be deployed by Microsoft fairly quickly. The majority of users, given the relative dangerousness of the security flaw, will certainly be better off waiting for its publication than engaging in command line-based acrobatics.
However, if you’re feeling adventurous and have a compelling need to fix the BitLocker vulnerability right away, here’s the deal to do.
► Open a command prompt as administrator. To do this, open the menu To start uptype the letters “cmd”, then right-click on the result Command Prompt and finally click on Execute as administrator.
► To check if WinRE is installed, write the command reagentc /info and validate by pressing Entrance. You can copy and paste the command below directly into the terminal:
reagentc /info► If WinRE is installed correctly, you should get a result similar to the screenshot below, with “WinRE location: \?GLOBALROOTdeviceharddisk0partition5RecoveryWindowsRE”. In this path, the numbers after “harddisk” and “partition” correspond to the WinRE disk and partition indexes. Write it down, you will need it for future orders.
► Next, you must deactivate WinRE. Write the command reagentc /disable and validate by pressing Entrance. You can copy and paste the command below directly into the terminal:
reagentc /disable
► Next, you need to shrink the operating system partition to free up additional space for the recovery partition. Write the command diskpart and validate by pressing Entrance. You can copy and paste the command below directly into the terminal:
diskpart
► Then write the command list disk and validate by pressing Entrance. You can copy and paste the command below directly into the terminal:
list disk
► To select the disk, write the command sel disk
sel disk
► Then write the command list part and validate by pressing Entrance. You can copy and paste the command below directly into the terminal:
list part
► In the list, locate the number of the main partition. In this case it is number 3. Then write the command salt part
sel part
► Once the partition is selected, write the command shrink desired=250 minimum=250 and validate by pressing Entrance. You can copy and paste the command below directly into the terminal:
shrink desired=250 minimum=250
► You must then select and delete the WinRE partition. Write the command salt part
sel part
► Finally, to delete the recovery partition, write the command delete partition override and validate by pressing Entrance. You can copy and paste the command below directly into the terminal:
delete partition override
You must then create a new recovery partition. Before that, you need to determine whether the partition type of your storage is GUID Partition Table (GPT) or Master Boot Record (MBR).
► Run the command list disk like before. In the list of results, see if the row for the disk concerned, 0 in our case, contains an asterisk * in the GPT column. Be careful, the value of the line may be offset from the column header, as in the screenshot below, so look carefully if the line ends with an asterisk *.
list disk
If the disk in question contains an asterisk * in the GPT column, it is of type GPT. Otherwise, it is of type MBR. The next command to run depends on the disk type, so be careful when writing it.
► If your disk is GPT type, write the command first create partition primary id=de94bba4-06d1-4d40-a16a-bfd50179d6ac and validate by pressing Entrancethen write the command gpt attributes =0x8000000000000001 and validate by pressing Entrance.
create partition primary id=de94bba4-06d1-4d40-a16a-bfd50179d6ac gpt attributes =0x8000000000000001
► If your disk is MBR type, write the command create partition primary id=27 and validate by pressing Entrance.
create partition primary id=27
► In both cases, format the partition by writing the command quick format fs=ntfs label=”Windows RE tools” and validate by pressing Entrance.
► To verify that the new WinRE partition has been created, write the command flight list and validate by pressing Entrance. A list with a volume named Windows RE should appear.
list vol
► To exit the DiskPart tool, write the command exit and confirm by pressing Entrance.
exit
► Finally, to re-enable WinRE, write the command reagentc /enable and validate by pressing Entrance.
reagentc /enable
► Finally, you can check that WinRE is correctly reinstalled. Write the command reagentc /info and validate by pressing Entrance.
reagentc /info
Once these long manipulations are completed, you can try to reinstall the KB5034441 update and restart your computer. Keep in mind, however, that as previously noted, this method has not worked for many users, and you may still need to wait until Microsoft releases the official patch.