BitLocker-related update triggers install problems

Topic

New Reply

PATCH WATCH By Susan Bradley January starts off the year with a bang, in the form of an install problem that may affect some of your Windows 10 PCs. F
[See the full post at: BitLocker-related update triggers install problems]

Susan Bradley Patch Lady/Prudent patcher

8 users thanked author for this post.

WCHS, fisher75, DLivesInTexas, mjhines1, lmacri, windbg, abbodi86, Alex5723

Reply | Quote

Replies

Susan Bradley wrote:

In a consumer setting, where BitLocker is not in use and physical access to, and control of, the PC is in the user’s hands, this vulnerability is of extremely low risk.

In fact, I’m willing to call it zero risk.

Until a laptop gets stolen? —

Over 2 million laptops are stolen every year in the United States.

A laptop is stolen every 53 seconds in the United States.

In the UK, 10,000 laptops are reported stolen every year.

Laptop theft accounts for 57% of all identity theft.

Must-Know Laptop Theft Statistics [Recent Analysis]

 

Susan Bradley wrote:

In the case of my home Windows 10 PC, TPM is not supported; BitLocker could not be enabled, even if I tried.

b wrote:

Susan Bradley wrote:

I have two home pcs that have NO TPM chip and thus no way to ever have bitlocker.

It’s possible to use Bitlocker without a TPM:

How to Turn on BitLocker Without TPM on Windows 10

1 user thanked author for this post.

windbg

Reply | Quote

Sorry b, the risk of theft is not going to convince me that there is a need for Bitlocker in a home setting -and with this audience request to not have a Microsoft account-even more of a reason to not use Bitlocker .  The best way to do bitlocker is with a TPM chip -the very reason for Microsoft’s hardware mandate. Anything else is a klutzy substitute.  Sorry b this release was poorly thought out and released.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

DrBonzo, sheldon, windbg

Reply | Quote

Susan Bradley wrote:

-and with this audience request to not have a Microsoft account-even more of a reason to not use Bitlocker .

43% of your readers use Microsoft 365 and plenty more use OneDrive, Skype, Xbox etc., so most probably already have a Microsoft account.

But Bitlocker does not require a Microsoft account anyway.

Susan Bradley wrote:

The best way to do bitlocker is with a TPM chip -the very reason for Microsoft’s hardware mandate.

Bitlocker is not the only use for a TPM (e.g. Passkeys), or even the primary reason for the requirement (i.e. Platform Integrity):

The primary scope of TPM is to ensure the integrity of a platform. In this context, “integrity” means “behaves as intended”, and a “platform” is any computer device regardless of its operating system. This is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running.

TPM — Uses — Platform Integrity — Wikipedia

Reply | Quote

b wrote:

Susan Bradley wrote: In a consumer setting, where BitLocker is not in use and physical access to, and control of, the PC is in the user’s hands, this vulnerability is of extremely low risk. In fact, I’m willing to call it zero risk.

…

Until a laptop gets stolen? —

Susan said “where BitLocker is not in use” so, since this is a BitLocker fix, she’s correct. If a non-Bitlocker’d laptop is stolen, a BitLocker fix is not going to make the slightest difference.

Reply | Quote

Correct. But is it zero risk if someone skips the fix now and then decides to enable Bitlocker in six months time before travel with a laptop to guard against identity theft?

Reply | Quote

Nothing is zero risk. But it’s MY decision what risk(s) is(are) acceptable for ME. If MS takes it upon themselves to offer bitlocker or some other encryption, then they need to support it in a manner that’s accessible to their users. Of course that would apply to any “feature” they offer.

1 user thanked author for this post.

WCHS

Reply | Quote

I’ve read that this update requires 250MB free space in the RE partition.  I’ve just checked two different systems installed off the official Microsoft Windows 10 ISOs.  One was installed with 20H2 and the second was the latest 22H2 image.  Both have a recovery partition of approx 500MB with about 80-85MB free.

What exactly is Microsoft thinking when their own ISOs didn’t create a large enough partition from the start?

Reply | Quote

There is not need to worry about resizing your Recovery Partition anymore.
1.  You should just do nothing and wait. Microsoft will eventually fix the issue – probably next month.
Or
2. Microsoft has already released and alternative to resizing the partition – a simple patch:
KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666
https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10

More Info:
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/

 

 

Reply | Quote

Simple for the many “Geeks” in this forum.  For others it isn’t.   Microsoft should only offer this update to systems that have BitLocker enabled.  Plus the update should be seamless – that is no powershell scripts…

3 users thanked author for this post.

redMagna, Seff, Susan Bradley

Reply | Quote

IMO Resizing partitions always has risk, which just means backup first.  If you wait a month, Microsoft may, by compressing files or deleting deprecated files, find a way to get it to work with too small partitions.

Reply | Quote

Yep…I can see “Aunt Mildred” running that PowerShell script…what could go wrong.

 

 

Reply | Quote

molius wrote:

Microsoft may, by compressing files or deleting deprecated files, find a way to get it to work with too small partitions.

They already did with releasing a PowerShell script that doesn’t require enlarging Restore partition.

Reply | Quote

For those worried about laptop theft with Bitlocker:

1.  Apply the Microsoft Patch that fixes the vulnerability (this is NOT resizing the partition):  https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10
2. You should have your laptop Bitlocker setup so that you must type in a PIN before it will boot. This is the best and safest way to use Bitlocker.  This vulnerability does not apply if you are setup with a Pre-Boot PIN.  In other words, it will prevent this exploit. If TPM+PIN BitLocker protectors are being used, can the vulnerability be exploited if the attacker does not know the TPM PIN?
   No. To exploit the vulnerability the attacker needs to know the TPM PIN if the user is protected by the BitLocker TPM+PIN.
   https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666Here is how to add a Pre-boot PIN:
   https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

   Critical:  You must keep a copy of your Recovery Key.  This is mandatory!! if you don’t, you risk losing everything on your drive permanently.
   https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0d

 

Reply | Quote

Just like I said:

Microsoft working on a fix for Windows 10 Bitlocker Issue

https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-a-fix-for-windows-10-0x80070643-errors/

1 user thanked author for this post.

WSBirdLady

Reply | Quote

I intend to wait to do updates until Microsoft fixes the issue.  As a Windows 10 Home user, will the tools suggested at http://www.blockapatch.com work for me? I always assumed these tools were only for Windows 10 (or 11) Pro users.

Reply | Quote

Blockapatch has solutions for every version of Windows. I have Home and use WUMgr.

cheers, Paul

1 user thanked author for this post.

WSBirdLady

Reply | Quote

Hello,

For anyone resizing the recovery partition and following Microsoft instructions well it seems one one more step in the process is needed. By adding this step when the new RE recovery partition is added and you take a look at it in Disk management it is all correctly done. No drive letter added etc.

I think this would work also work with GUID Partition Table (GPT)

“Support Article to Resize Windows Recovery Partition is Incorrect for MBR Disks”

https://answers.microsoft.com/en-us/windows/forum/all/support-article-to-resize-windows-recovery/c35285d7-e93d-4f66-8f06-b76bcd303e49

Note, it fixed the correct partition but ( KB5034441) still wont install and best to just hide it through using https://blockapatch.com/

What a real mess Microsoft have created.

It’s there Happy New Year patch gift to us all!

 

Reply | Quote

In Disk Management, my recovery partition has 522 MB free out of 522 MB, probably cause I’ve disabled restore points?

Reply | Quote

That is because Windows doesn’t report the actual information without some trickery.
522MB is not enough for the current patch. Wait for Susan to give the all clear.

See this post for a recovery partition size how-to: https://www.askwoody.com/forums/topic/0x80070643-error_install_failure-with-kb5034441/#post-2627553

cheers, Paul

Reply | Quote

At least this this “security patch” isn’t part of the January cumulative update

Reply | Quote

Situation: Win 10 Pro 64, Windows Updates are configured for manual d/l using Group Policy, and BitLocker is off.  Noticed some sluggishness on Patch Tues but ignored it. Next day I found out KB5034441 had d/l and installed successfully with no errors. No other updates d/l. PC seem to be working normally.

Question: Since I don’t trust MS, does a successful install of KB5034441 introduce problems I should be aware of? If so, what might they be, and are there mitigation recommendations?

Thanks for reading.

Reply | Quote

italiangm wrote:

does a successful install of KB5034441 introduce problems

None.
It will be there if/when you decide to enable BitLocker.

1 user thanked author for this post.

italiangm

Reply | Quote