Microsoft is not fixing its mess

Topic

New Reply

ISSUE 21.18.1 • 2024-05-03 By Susan Bradley Microsoft has now made it official. It does not plan to fix the mess it made with KB5034441. As you may re
[See the full post at: Microsoft is not fixing its mess]

Susan Bradley Patch Lady/Prudent patcher

Total of 22 users thanked author for this post. Here are last 20 listed.

jburk07, Paul, MHCLV941, kewlputergeek, steeviebops, Charlie, Cybertooth, TechTango, Nibbled To Death By Ducks, rshepps1, LH, Montana Bob, bbobccat, WCHS, windbg, Mike Cataldo, DLivesInTexas, gwt10, lmacri, Kathy Stevens

Reply | Quote

Replies

Microsoft with its Telemetry, data harvesting… can’t check the presence of Bitlocker, free storage size of WinRE.. before pushing KB5034441 ?
So what good is Telemetry ?

4 users thanked author for this post.

Perturbance, Cybertooth, Nibbled To Death By Ducks, windbg

Reply | Quote

My thoughts exactly.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

Alex5723 wrote:

Microsoft with its Telemetry, data harvesting… can’t check the presence of Bitlocker, free storage size of WinRE.. before pushing KB5034441 ? So what good is Telemetry ?

“All the better to see you with, my dear.”

I know…the thought of Gates, et al, as a wolf in grandma’s clothing is bizarre, but somehow, it fits.

Oh, my…

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

Cybertooth

Reply | Quote

I have Win 10 22H2 with Bitlocker disabled. This update installed with no problem. Should I still be concerned?

Reply | Quote

Not if the update installed.

With BL disabled you don’t need the update, with it enabled you only need the update if you expect an attacker may try to collect your data. A casual attacker will just format and start from fresh.

cheers, Paul

1 user thanked author for this post.

TechTango

Reply | Quote

Also be aware that the issue causing Edge to install a Copilot app has been resolved with Edge updates released after April 26, 2024. If you still see a Copilot app installed, you can uninstall it from your machine.

Hi Susan:

MS Edge v124.0.2478.67 (rel. 26-Apr-2024) only fixed the problem for Windows Server 2022, which was the only server OS affected by this problem.  The fix for affected Win 10 and Win 11 users hasn’t been pushed out yet.

The Windows Release Health dashboard issue for my Win 10 v22H2 OS (as well as Win 11 v21H2 / v22H2 / v23H2 dashboards) titled Edge updates might cause Microsoft Copilot app to show up in Installed apps still states:

Resolution: This issue is now resolved with Edge browser updates released on April 26, 2024. Edge version 124.0.2478.67 removes the package ‘Microsoft chat provider for Copilot in Windows’ from all servers affected by this issue. The ‘Microsoft Copilot’ entry will not show in the Installed apps list in the Settings menu once the Edge browser is updated.

An upcoming version of Microsoft Edge is expected to remove or adjust the installation of this component on specific client devices...

Next steps: We are working on a resolution for all affected clients and servers.

The release notes <here> for MS Edge v124.0.2478.67 (rel. 26-Apr-2024) also state “Removes ‘Microsoft chat provider for Copilot in Windows’ from Windows Server devices. The component was incorrectly installed on some devices in a previous Microsoft Edge update“.

My MS Edge browser updated to v124.0.2478.80 (rel. 02-May-2024) today and that Microsoft Copilot v1.0.3.0 app is still listed at Settings | Apps | Apps and Features on my Win 10 machine (see attached image).
———
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4291 * Firefox v125.0.3 * Microsoft Edge v124.0.2478.80 * Microsoft Defender v4.18.24030.9-1.1.24030.4 * Malwarebytes Premium v5.1.3.110-1.0.1219 * Macrium Reflect Free v8.0.7783

2 users thanked author for this post.

kewlputergeek, WCHS

Reply | Quote

Read that blurb too fast last night.  Thanks!

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Edge updates might cause Microsoft Copilot app to show up in Installed apps

Resolved: 2024-06-13, 12:14 PT

..Resolution: This issue is now resolved with Edge browser updates released on April 26, 2024, and June 13, 2024. Edge version 124.0.2478.67 was released on April 26 and removed the package ‘Microsoft chat provider for Copilot in Windows’ from all servers affected by this issue. Edge version 126.0.2592.56 was released on June 13, 2024, and removed the same package from all Windows client versions affected by this issue. The ‘Microsoft Copilot’ entry will not show in the Installed apps list in the Settings menu once the Edge browser is updated.

Affected platforms:

Client: Windows 11, version 23H2, Windows 11, version 22H2, Windows 11, version 21H2, Windows 10, version 22H2

Server: Windows Server 2022

1 user thanked author for this post.

lmacri

Reply | Quote

Alex5723 wrote:

Edge updates might cause Microsoft Copilot app to show up in Installed apps Resolved: 2024-06-13, 12:14 PT

Hi Alex5723:

Thanks for the heads up. I checked at Settings | Apps | Apps and Features on my Win 10 Pro v22H2 machine before and after my MS Edge browser updated to the latest v126.0.2592.56 (rel. 13-Jun-2024) and can confirm that the Microsoft Copilot app was removed by this update.

See the 14-Jun-2024 Neowin article Microsoft removes ‘harmless’ Copilot app that was quietly installed on your Windows PCs  for further details.
———-
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4529 * Firefox v127.0.0 * Microsoft Edge v126.0.2592.56 * Microsoft Defender v4.18.24050.7-1.1.24050.5 * Malwarebytes Premium v5.1.5.116-1.0.1252 * Macrium Reflect Free v8.0.7783

2 users thanked author for this post.

Alex5723, WCHS

Reply | Quote

I don’t know why Microsoft releases Windows Updates without testing them.
What is the point of the insider preview program if they don’t listen to feedback or test these updates?
They shouldn’t tell users to modify the registry especially for people are not very tech savvy

Reply | Quote

I tried installing KB5034441 in Windows 10. I got the error message and decided to install Windows 11. It installed but I had no Start Menu or Taskbar. SFC showed no errors so I started Windows 11 in safe mode and everything worked. Finally used the built-in recovery utility on my HP desktop and was able to uninstall the offending Windows 10 update and then restarted and everything worked in Windows 11.

Reply | Quote

This vulnerability does not apply if you use Bitlocker and are setup with a Pre-Boot PIN. In other words, it will prevent this exploit.  That means the Windows Update KB5034441 becomes irrelevant.
You should have your laptop Bitlocker setup so that you must type in a PIN before it will boot. This is the best and safest way to use Bitlocker.  If you’re experienced and use Bitlocker, here is how to add a Pre-boot PIN:
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

CRITICAL: You must keep a copy of your Recovery Key. This is mandatory!! if you don’t, you risk losing everything on your drive permanently. How to Backup and Save Your Recovery Key:
https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0d

If you still want to fix the Recovery Partition, this is the safest and easiest method for those experienced with resizing partitions.
Just use the Macrorit Partition Expert Free Portable to resize the partition. MUCH easier and safer than any other method. Note: In order to resize the partition with Macrorit free, you’ll need to turn off Bitlocker and decrypt and when you’re done re-encrypt. I suggest a partition size of 2048 MB.  The update itself needs at least 250 MB of free space on the recovery partition. But I recommend 1024 MB.

Note: Always have backup image of your drive just in case. If you use Macrorit, you need to resize the partition to the left first to make room and then the recovery partition.  You can also use any reputable partition manager – some with less steps than others.  When you’re done, the Windows update will install properly.
Important: When you re-encrypt, you’ll have new Recovery Key to Backup.
See: https://www.diskpart.com/articles/how-to-resize-recovery-partition-windows-10-0725.html

3 users thanked author for this post.

MHCLV941, lmacri, windbg

Reply | Quote

Intrepid wrote:

You must keep a copy of your Recovery Key

You can use our BitLocker Status script to do this.

Intrepid wrote:

If you still want to fix the Recovery Partition, this is the safest and easiest method for those experienced with resizing partitions

I think for those people the best method is the MS script.

cheers, Paul

2 users thanked author for this post.

Intrepid, lmacri

Reply | Quote

When do we get to the point where we start calling Windows what it truly is–Malware/Adware? The title of this column has always been, “Ask Woody.” So, I’m asking when does the Ask Woody, start suggesting viable alternatives to Windows so that the average home user who needs reliability without having to mod/block/tamper with their own operating system to make it do what they, not Microsoft wants it to do. I’m old enough to remember Bill Gates Open Letter to Hobbyists, where he accused us of “Stealing” his software. I personally believe that Microsoft “Stealing” my data and personal information for resale is worse. How about a viable transition strategy to leave Microsoft for average users who do not want to be IT professionals for the rest of their lives.

4 users thanked author for this post.

Cybertooth, Nibbled To Death By Ducks, Alex5723, David F

Reply | Quote

We are now the beta testers. Here’s why: Microsoft changed testing processes significantly in the past few years. Back in 2014/2015, Microsoft employed an entire team that was dedicated to testing the operating system, builds, updates, drivers, and other code. The team consisted of multiple groups that would run tests and discuss bugs and issues in daily meetings. The teams ran the tests on “real” hardware in a lab through automated testing.

Microsoft has since laid off almost the entire Windows Test team. The company moved most of the testing to virtual machines and this meant that tests were no longer conducted on real and diverse hardware configurations. The main sources of testing data comes from Windows Telemetry and Windows Insiders. We are all beta testers now and the bugs in Windows Updates have reached unacceptable levels (printing problems, boot loops, and other issues as reported in the media). An update that causes business disruption and loss of revenue is nearly as bad as malware.

Also, Win11 represents a trend of a “dumbing down” of society, as options and settings are eliminated or concealed behind a facade one-click operations, with big buttons, short menus and a “one size fits all” mentality, both in Windows and in a vast array of other applications by many other companies. Some say this is due to Gen Z, many of whom they claim are easily confused and distracted with short attention spans.

7 users thanked author for this post.

JPMedia, MHCLV941, Charlie, Cybertooth, Steve S., Mike Cataldo, windbg

Reply | Quote

Because Apple is too expensive and Linux is still a bit too advanced and many home users still have that beloved piece of software that runs on Windows.

Until the day that I can send John Q Public to BestBuy and buy a prebuild Mint machine, I’m still not ready to recommend it for the masses.  Hobbyist, sure, but not the masses.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

MHCLV941, Nibbled To Death By Ducks, bbobccat

Reply | Quote

No offense Susan.  But this was the argument used against Windows in the mid-80s, when it was simply a skin over DOS.  There were other multi-tasking Operating systems prior to Windows.  At some point, we have to look at options.  This is true of any change.  Paradigm shifts occur.  We thought that metal airplanes were too complicated at one point.  Then we thought it was silly to fly planes without propellers.  The “sound barrier” was impossible to penetrate.  Swing winged aircraft would be the wave of the future – until stealth made them too risky for combat.

One of my favorite quotes is from Arthur C Clarke.  I’m sure you can guess which one of Clarke’s laws I’m referring to…

Reply | Quote

For most people a Chromebook does everything they need, my kids in school and university exclusively use google apps.  If you want gaming, a Steamdeck (Linux OS) is a good choice working out of the box for a huge number of games.   I think most business and home users are on Windows because thats the default common denominator, rather than any rational need for windows (with the exception of some finance and engineering programmes that don’t run on other OS).

Reply | Quote

Thanks for the shout-out to remotewebaccess.com users. Fortunately it’s not completely broken–DDNS and an existing certificate are still working fine at one of my sites. The Office Maven is reporting issues getting it configured from scratch. There’s some additional discussion in the comments on my blog post here, but the main discussion and any hope for resolution is in the Microsoft thread Susan linked in the main article.

Yes, time to go back to a custom domain. A PositiveSSL can be had for just a few dollars; the real cost is the time to track it and manually renew it every year.

Reply | Quote

I am just hiding it forever then. That has solved the issue so far.

Reply | Quote

We’ve had one incident of the VPN-breaking update causing OpenVPN to fail on install. Install appeared to perform normally, but no program files were present after the install completed. Looking for replication.

Reply | Quote

My newer Win10/Pro laptop took KB5034441. My older laptop did not. There was not that much difference in the partition size or the unused space in the two devices. However, the newer laptop can support Windows 11 and the older one can not. I suspect that this sledge-hammer approach was intentionally designed that way – to make users of devices unable to install it more likely to go out and buy a new Windows 11 machine.

Reply | Quote

lmacri wrote:

Microsoft Copilot v1.0.3.0 app is still listed at Settings | Apps | Apps and Features on my Win 10 machine

Uninstall.

Reply | Quote

Alex5723 wrote:

Uninstall.

Hi Alex5723:

Why? What harm is it doing?

My understanding is that this Copilot app is a “placeholder” that currently has no function. I’d rather leave it on my system and wait for Microsoft to announce that a bug fix has been released for Win 10 / Win 11 so that I can confirm for myself that the bug fix automatically removes the app.

If others want to uninstall this Copilot app before the bug fix is released that’s certainly their prerogative.
———
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4291 * Firefox v125.0.2 * Microsoft Edge v124.0.2478.80 * Microsoft Defender v4.18.24030.9-1.1.24030.4 * Malwarebytes Premium v5.1.3.110-1.0.1219 * Macrium Reflect Free v8.0.7783

1 user thanked author for this post.

Alex5723

Reply | Quote

I use a dual boot with Mint to run my law office.  Everything I do is on my local drive or web based.  My only use of Windows is for accounting software.  Everything else is Linux, open source.  I am no longer a hobbyist and, someday. I will find that Linux accounting software, I’ll take a week ‘vacation’ and learn it. Windows and Microsoft will be but a fleeting unpleasant memory.

2 users thanked author for this post.

Tom in Az, Mike Cataldo

Reply | Quote

The CVE has a base score of 6.6 (Medium)…

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666

Reply | Quote

I was remiss in not downloading Win 10H22 and now regretting it because I want to scrub my drive and install fresh. This laptop will not run Win 11. Anyone know where I can get Win 10H22?

Reply | Quote

If you have Win10 Pro, just set group policy to Windows 10 22H2 and then check for updates. You will be updated to 22H2. Once updated, you can do a full reset to start over fresh.

The path in group policy is:

Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select the target Feature Update version

Reply | Quote

Assuming you are trying to download from a Windows PC, you’ll need to spoof your browser agent to force the ISO download from Microsoft.  This link will help:

https://www.howtogeek.com/427223/how-to-download-a-windows-10-iso-without-the-media-creation-tool/

If you have access to a Mac or Linux box you can just go to:

https://www.microsoft.com/en-us/software-download/windows10

… and it will give you the option to download the ISO directly.

Reply | Quote

Download the standalone USB installation creation program Rufus.

Insert a USB drive, start Rufus, click the arrow to the right of the Select button and change the option to Download.

Click the Download button and then select Windows 10 22H2 with the appropriate options in the popup window.

Press the Download button at the bottom of the popup windows and it’ll prompt you for where to save the ISO.

 

Reply | Quote

This morning, after reading your post , I thought I should attempt to change the recovery partition size.  I searched for the Microsoft method (KB5028997) and then tried to run reagentc /info, but it did not run so I wasn’t sure if there was a typo or something else.  I thought I’d check Drive Management before giving up.  The big surprise was the recovery partition was now 604 MB instead of 450 MB!  I checked Windows Update to see if KB5034441 (on Windows Home) was still a problem, but that update was not to be found in WU or WU History.

So, the bottom line is all (4) Windows 11 Pro desktops are 604 or more MB recover partitions.

The (1) Windows 10 Home desktop now has two recovery partitions, the original 450 MB and a new recovery partition of 520 MB.  I suspect that KB5034441 will disappear with a future update.

Windows 11 Pro desktop specs: Version 23H2, OS Build, 22631.3527, Experience 1000.22700.1003.0, 2024-04 Cumulative Update Preview.

So, for me Microsoft has fixed the problem, but maybe not yet for every Windows version and I may one of the lucky public beta tester.  I’m sure your efforts have been a part of this success!

 

Reply | Quote

Susan as always thank you for you post and keeping us informed. God Bless and keep up the excellent work!

Moderator Note: In the future, the link labeled “THANKS” works just as well and is faster than submitting a post thanking someone.

Reply | Quote

rshepps1 wrote:

Moderator Note: In the future, the link labeled “THANKS” works just as well and is faster than submitting a post thanking someone.

What is wrong with a personal touch to say ThankYou Susan or anybody who gave efford to help?
The world is unpsersonal and cold anough as it is; if you please

* _ ... _ *

6 users thanked author for this post.

Microfix, kewlputergeek, LH, Cybertooth, PL1, NaNoNyMouse

Reply | Quote

Susan Bradley wrote:

Until the day that I can send John Q Public to BestBuy and buy a prebuild Mint machine, I’m still not ready to recommend it for the masses. Hobbyist, sure, but not the masses.

I know further comment would only seemingly mar the perfection of this statement , but I must add, “…and retired Seniors who spent the last 20 years of their careers fighting with software and hardware.”

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

I use Linux Mint Cinnamon as my main OS now and I’ve gotten to the point where I enjoy using it.  Yes you could consider me a hobbyist and I didn’t mind getting into many of the new things to learn.  But, and this is a really big but, my wife is now using it too!

She mainly just goes on the WEB, does email, and saves a picture file, but I’ve taught her how to use Clam AV to check files and other things she needs to know. I don’t hear many complaints either.  I was surprised how quickly she picked up LMC.  As I did with MS Windows, I do all the updates and more complicated things, and we both use LMC and are happy!

Now when I look at how complicated MS Windows has gotten, and all of rigamarole one must endure just to do updates along with many other maddening things, I’m so glad I’m using Linux.  Personally, there would be an awful lot I’d have to learn and do to use Win 10 or 11!

Edit:  I’ve got other computers that have Windows 3.1, 95B, 98 SE, XP, and 7 on them. Anytime I need to run Windows, I’ve got them.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

3 users thanked author for this post.

Lars220, Microfix, bassmanzam

Reply | Quote

Also using linux distro’s as daily driver with legacy Windows for offline programs. My transition to linux is as good as it gets, for now..office, email, surfing, graphic design and music stuff.
Having an iPad, iPhones works ok too.
Can’t wait to ditch the online redmondmess logic completely

If debian is good enough for NASA...

1 user thanked author for this post.

Cybertooth

Reply | Quote

Without disagreeing directly with anything written above, I note two things:

1. If you want to keep your hard drive encrypted and are in the cohort at-risk of not having working Bitlocker protection, not worrying about this is not an option.
2. The manual steps are very well documented and easy to follow.  It’s a very low-risk manual process.  It’s not like installing Windows Updates is somehow guaranteed to be lower risk.  If that were true, I wouldn’t wait for Susan’s DEFCON 4-5 declarations.  And I almost always do.

Yes, Microsoft should have done better.  Yes, there is an easy workaround if your Bitlocker is broken.  Don’t the let the first item keep you from fixing the second item.

Reply | Quote

Alex5723 wrote:

Microsoft with its Telemetry, data harvesting… can’t check the presence of Bitlocker, free storage size of WinRE.. before pushing KB5034441 ?
So what good is Telemetry ?

Where did you get the idea that all that data collected was going to benefit customers?  😁

3 users thanked author for this post.

Alex5723, Cybertooth, Fred

Reply | Quote

Might be time for us to consider moving to VeraCrypt…

 

1 user thanked author for this post.

Cybertooth

Reply | Quote

Already have, due to running Windows Home…

cheers, Paul

Reply | Quote

Paul T wrote:

Already have, due to running Windows Home…

Right.

We’re on Windows 10 Pro 22H2, eventually moving to Windows 11 Pro.

We’ll likely start trialing VeraCrypt as a replacement for BitLocker before the end of the year.

 

 

 

 

 

1 user thanked author for this post.

TechTango

Reply | Quote

I have a pre-boot PIN for Veracrypt – the PIN is the password. There doesn’t seem to be an arrangement to use a long password and fire it up with a PIN. Fine for my meagre requirements.

cheers, Paul

Reply | Quote

Mike Cataldo wrote:

No offense Susan.  But this was the argument used against Windows in the mid-80s, when it was simply a skin over DOS.  There were other multi-tasking Operating systems prior to Windows.  At some point, we have to look at options.  This is true of any change.  Paradigm shifts occur.  We thought that metal airplanes were too complicated at one point.  Then we thought it was silly to fly planes without propellers.  The “sound barrier” was impossible to penetrate.  Swing winged aircraft would be the wave of the future – until stealth made them too risky for combat.

One of my favorite quotes is from Arthur C Clarke.  I’m sure you can guess which one of Clarke’s laws I’m referring to…

There is another quote that applies here, from Robert Heinlein: “When railroading time comes you can railroad—but not before.”

Back in the DOS days, PCs, particularly early ones, were not widely available, and just about everyone who had them were enthusiast/fans/early adopters.  Those folks formed a sufficiently large nucleus of expertise, along with some really revolutionary software, to drive the adoption of PCs.    That same cure of expertise does not exist today as far as Linux goes.  To be sure, there are a lot of folks who do have Linux skills but far too few to support a mass move to Linux.  Even so, those folks are not used to supporting end users and looking at end-user problems.

Finally, after many years with Windows (WfWG 3.11 in production use and MS-DOS from about version 3), I needed to set up some Linux machines.  It was not terrible but not remotely ready for the person whose next computer comes from Best Buy or Costco because, well, that’s where they sell computers.  Nothing I encountered could not be looked up with Google, but every single fix was command line.  That alone convinces me that Linux is not yet ready for prime time, i.e., outside of business or other setting where technical support is close at hand.

Reply | Quote

kewlputergeek wrote:

It’s not like installing Windows Updates is somehow guaranteed to be lower risk.

Microsoft stopped focusing on ensuring update quality some time ago.  Consequently, installing Windows Updates became a risk.

Viewing the user base as a bunch of unpaid beta testers is a pathetic approach to product support.

3 users thanked author for this post.

Charlie, Cybertooth, windbg

Reply | Quote

Which is why I switched to a Mac four years ago and have not looked back.  Reading this Forum and the issues with Microsoft and PCs reads like one horror story after another.

iPhone 13, 2019 iMac(SSD)

2 users thanked author for this post.

windbg, Fred

Reply | Quote

I liked Microsoft better under Balmer than Nadella.  I just think Windows has not been a priority in the right way for Nadella who seems more about cloud solutions and his obsession with making money from AI. Windows now is just a advertising platform for Microsoft who see’s Windows users as a captured group to push other Microsoft ecosystem of products.

Reply | Quote

As posted back in January 2024:

Microfix wrote:

I’m of the thought that it’s unlikely MSFT will re-issue a patch to replace/ supercede kb5034441 for W10.

NO surprises there then..
So, it’s up to the end-user to expand the WinRE partition and mitigate the bitlocker vulnerability only IF using bitlocker, otherwise hide kb5034441 using WUMgr or wushowhide and get on with life..

If debian is good enough for NASA...

Reply | Quote

Microfix wrote:

So, it’s up to the end-user to expand the WinRE partition and mitigate the bitlocker vulnerability only IF using bitlocker, <snip>

And it’s very easy to do.  I am greatly puzzled by the angst on this topic.  The Microsoft software update process has been awful since the 80’s.  This is not breaking news.

The people who subscribe to this forum can do this in their sleep.

Reply | Quote

kewlputergeek wrote:

Microfix wrote:

So, it’s up to the end-user to expand the WinRE partition and mitigate the bitlocker vulnerability only IF using bitlocker, <snip>

And it’s very easy to do.  I am greatly puzzled by the angst on this topic.  The Microsoft software update process has been awful since the 80’s.  This is not breaking news.

The people who subscribe to this forum can do this in their sleep.

Perhaps you have not seen a sufficiently large sample of PC HDD/SSDs to realize how screwed-up partition tables can get.  At a minimum, one needs third-party partition management software and/or scripts because Windows Disk Management will not touch the recovery partition.  If it was all that easy, Microsoft would have updated the patch to handle it automatically.

Also, many of the people who read this newsletter are responsible for dozens or hundreds of computers. which makes any sort of manual resizing impractical or even impossible due to time constraints, it nothing else.

1 user thanked author for this post.

satrow

Reply | Quote

MHCLV941 wrote:

Perhaps you have not seen a sufficiently large sample of PC HDD/SSDs to realize how screwed-up partition tables can get.  <snip> If it was all that easy, Microsoft would have updated the patch to handle it automatically. Also, many of the people who read this newsletter are responsible for dozens or hundreds of computers. <snip>

In 2024, it’s pretty rare to have partition table problems on a working drive.  Anyone who does have those problems should be dealing with them and not worrying about problems with this update.

To your scripting point, it is hard to automate to handle every situation.  The scripts and instructions that Microsoft did provide (posted several times on several threads in this forum) are very straightforward.  Have you looked at them?

If you look at the several threads on this forum about this topic, you will see that most of the people posting are clearly not supporting dozens or hundreds of computers.  Anyone who does have dozens or hundreds of computers to support with this issue has a legit gripe with Microsoft — no argument from me.

So, my point remains: anyone who needs Bitlocker to work on a machine that has a broken Bitlocker should manually install this update using the very clear, very easy to follow instructions and scripts provided.  That’s my opinion — fair enough if you have a different one.

Reply | Quote

kewlputergeek wrote:

anyone who needs Bitlocker to work on a machine that has a broken Bitlocker should manually install this update using the very clear, very easy to follow instructions and scripts provided. That’s my opinion — fair enough if you have a different one.

Easier said than implemented…

The script doesn’t account for the Recovery partitions that are first in the partition order, rather than the last.

Ideally, to fix that, a user would first image their drive, clean install Windows to get the partitions in the right order, then restore the partitions from the image…one at a time…following the new partition order.

Then, the “new” recovery partition could be expanded.

Might be a fun weekend project to do for a couple of computers….owned by a power user.

For sysadmins responsible for multiple computers, it would be a nightmare.

Not everyone has migrated to Windows 11, and not everyone who runs BitLocker is a power user.

Microsoft is accountable for creating an untenable situation for a large portion of their user-base.

They should have done better…

 

5 users thanked author for this post.

windbg, Cybertooth, MHCLV941, Alex5723, Fred

Reply | Quote

Updated : KB5028997: Instructions to manually resize your partition to install the WinRE update

1 user thanked author for this post.

windbg

Reply | Quote

OldGuyForum wrote:

The script doesn’t account for the Recovery partitions that are first in the partition order, rather than the last.

That is the situation with my Windows 10 Pro 22H2.

Reply | Quote

[Fred]

@OldNavyGuy Right! This is quite so.
I had to deal with this on a few private laptops. That was a timeconsuming job, and nasty too; till some ‘good spirit’ here told to expand the RE-partition, and get it at the right place ….
That was a lot of (microsoft)fröbel-therapy on a rainy day 🤔 (all W10, home+pro).
Than my main machine broke down beyond repairs, and getting a new one was rather expensive when staying within the parameters of hardware that fits together; anyway that was/is the intention…. Now W11pro neatly and cleanly installed at C: partition uses about 110GB (!!) at a partition of 150GB, And
do Not let Windows choose the main drivers…
Programs and documents installed at D: , and some hobby-stuff at E:

Finaly this it not funny anymore: all is high on specs prices and space. Whatfor? Just to write a letter or so?

When all people getting and being more depending on computers, with Windows11 coming without choice, perhaps Microsoft will awaken and changes their attitue in servicing the public? Please?

* _ ... _ *

• This reply was modified 10 months, 1 week ago by Fred.
• This reply was modified 10 months, 1 week ago by Fred.

Reply | Quote

Alex5723 wrote:

That is the situation with my Windows 10 Pro 22H2.

Shawn Brink on TenForums mentions that the Recovery partition was created as the last partition in the order, starting with Windows 10 2004 (which for you non-geezers is actually 2020, and the 4th month).

Windows 10 1909 and earlier created it as the first partition.

I remember doing a drive image, clean install, and image restore partition-by-partition to get them in the “new” order back in the day for our systems.

Of course if you did an in-place upgrade for each feature update, nothing moved.

Imagine doing that dance for 100…1,000, 10,000 systems or more that had been feature updated with in-place upgrades since version 1909.

Who knows if or when the Recovery partition will need to be resized again in the future…we don’t have the bandwidth for that kind of nonsense.

I think we’ll be turning off BitLocker and replacing it with VeraCrypt, killing the Recovery partition, and using a bootable Windows ISO as our “recovery” tool.

Good enough for our use cases.

YMMV

 

 

4 users thanked author for this post.

Cybertooth, Alex5723, MHCLV941, Fred

Reply | Quote

kewlputergeek wrote:

In 2024, it’s pretty rare to have partition table problems on a working drive.  Anyone who does have those problems should be dealing with them and not worrying about problems with this update.

A poorly laid-out partition table might be uncommon on a new computer, but many OLD computers have them.  Those computers have been working for years because those tables make no difference in day-to-day operations.

Reply | Quote

OldGuyForum wrote:

Microsoft is accountable for creating an untenable situation for a large portion of their user-base. They should have done better…

Whatever else can be said about this mess, this is inescapably true.

Reply | Quote

MHCLV941 wrote:

A poorly laid-out partition table might be uncommon on a new computer, but many OLD computers have them.

True.  Anyone who has an old computer has the same problem as someone who has an old car or old knees: at some point, the ROI for repairs goes down.

I don’t disagree with any of the points you made, and I said in my first post on this thread that Microsoft did a bad job IMO.

The fact remains: anyone who has a broken Bitlocker and wants it not to be broken is currently short on options.  A very good option is the scripts, and the last fallback for a DIYer is the easy to follow list of manual steps.  I don’t doubt that some users will have a situation where both methods fail — as usual for Microsoft updates from the beginning of Windows (2.1 for me).

I can solder new capacitors onto my TV’s power board and replace the run capacitor in my HVAC condenser unit.  But, sometimes I have to call a pro to repair or replace.  It’s the same thing here.

This problem has a pretty decent DIY solution, and I continue to be confused by how much consternation it has caused.  Microsoft has never cared about fixing unusual update problems that have a workaround — and they still don’t.  Once we get past the fact that things shouldn’t be this way, we’re left with doing what we need to do.

If anyone out there has tried the scripts and/or manual workarounds and failed to install — and actually needs Bitlocker working, of course — post your problems here.  Maybe the rest of us here can help.  I’ll burn some time trying.

Reply | Quote

Bitlocker is not broken without the recovery partition patch, it’s just slightly less secure for a stolen computer if a pre-boot authentication PIN has not been enabled. But Bitlocker has always been less secure due to other potential attack vectors if a pre-boot PIN is not enabled.

Intrepid wrote:

This vulnerability does not apply if you use Bitlocker and are setup with a Pre-Boot PIN. In other words, it will prevent this exploit. That means the Windows Update KB5034441 becomes irrelevant.
You should have your laptop Bitlocker setup so that you must type in a PIN before it will boot. This is the best and safest way to use Bitlocker. If you’re experienced and use Bitlocker, here is how to add a Pre-boot PIN:
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

2 users thanked author for this post.

kewlputergeek, windbg

Reply | Quote

Microfix wrote:

NO surprises there then..
So, it’s up to the end-user to expand the WinRE partition and mitigate the bitlocker vulnerability only IF using bitlocker, otherwise hide kb5034441 using WUMgr or wushowhide and get on with life..

in which hiding/blocking the KB5034441 Win10 update with wushowhide.diagcab, wumgr, windows update minitool or WAU Manager is a far better and easier option for me than to resize the recovery partition, since some of my old PCs do NOT have a recovery partition.

and if that update shows up or is being offered to my Win10 PCs in the future, I will hide/block it again and again and again until one day Microsoft decides to permanently stop offering it.

1 user thanked author for this post.

Cybertooth

Reply | Quote

OldGuyForum wrote:

Windows 10 1909 and earlier created it as the first partition.

My 6 years old Lenovo laptop came with Windows 1809 and has been upgraded up to 22H2.

Reply | Quote

Microsoft may default-encrypt your data with BitLocker on Windows 11 24H2 Home PCs too

..German news outlet Deskmodder reports that the next major Windows 11 version, 24H2, also called the 2024 update, may enable BitLocker by default during installation, and this may seemingly be happening across multiple editions of Windows 11, including Home.

The site noticed the change when running a Windows 11 24H2 installation using the new redesigned Setup..

* Users with no Microsoft account won’t be able to save Bilocker key.

Reply | Quote

As introduced more than 10 years ago with Windows 8.1?

Reply | Quote

b wrote:

As introduced more than 10 years ago with Windows 8.1?

?

I never had Bitloker on by default on any Windows 10 version.

Reply | Quote

Windows 8.1 Will Start Encrypting Hard Drives By Default: Everything You Need to Know — OCT 12, 2013

On supported devices running Windows 10 or newer BitLocker will automatically be turned on the first time you sign into a personal Microsoft account (such as @outlook.com or @hotmail.com) or your work or school account.

Device encryption in Windows

Reply | Quote

b wrote:

the first time you sign into a personal Microsoft account (such as @outlook.com or @hotmail.com)

There is no Microsoft account on any of my installations, and I have BitLocker disabled in Services.  I have no  use for encryption, and I’ve never been bothered with BitLocker.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Alex5723

Reply | Quote

b wrote:

Bitlocker is not broken without the recovery partition patch, it’s just slightly less secure for a stolen computer if a pre-boot authentication PIN has not been enabled.

Well… I’d call having my encrypted data exposed to a low complexity attack using a simple WinRE bypass “broken?”

Agree with your point that not having a PIN is kinda crazy, but this potential exploit is not like the other known potential PIN-less exploits (e.g. a bootable eDrive).  The plain English version of this exploit is “If I have your PC and you have the bad WinRE installed, you don’t really have encryption.”  That’s broken in my book.

Reply | Quote

kewlputergeek wrote:

Well… I’d call having my encrypted data exposed to a low complexity attack using a simple WinRE bypass “broken?”

Is the WinRE bypass really simple? It sounds quite complex to me and I wonder if anyone outside of Microsoft knows how it could be exploited?

Exploit Details

The CVE-2024-20666 exploit takes advantage of a flaw in the way BitLocker parses and validates input data. By crafting a specific input string, an attacker can trigger a series of events that ultimately lead to the bypass of BitLocker’s security features. The exploit bypasses the standard security checks, allowing an attacker to access data without the correct decryption key.

CVE-2024-20666: BitLocker Security Feature Bypass Vulnerability – A Deep Dive into the Exploit and How to Mitigate It

P.S. I just realized that Microsoft’s acknowledgment for the vulnerability disclosure is intriguing:

Acknowledgements — Zammis Clark

https://en.wikipedia.org/wiki/Zammis_Clark

1 user thanked author for this post.

kewlputergeek

Reply | Quote

b wrote:

Is the WinRE bypass really simple? It sounds quite complex to me and I wonder if anyone outside of Microsoft knows how it could be exploited?

Seems pretty simple in concept to me?  Anyone who has examined the underlying code should be able to figure out how to get the right bad input into it — since it’s not sanitized.

The opinion re: the attack complexity is not mine — it’s Microsoft’s: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666

Great find in the acknowledgements — thanks for sharing that!  He sure keeps busy!

1 user thanked author for this post.

b

Reply | Quote

Thanks Susan for the update. MSFT patches have become more frustrating vs being helpful I feel. I think they just don’t care for about the consumer any longer nor the MSPs/IT Tech companies that have to fix their “SHTUFF”.
When you posted this earlier this year I created a blog (https://jvhconsulting.com/2024/01/13/windows-10-kb5034441-security-update-fails-with-0x80070643-errors/) to show how to resize the partition to install but also found quick powershell means to just block the patch which I run on all my supported endpoints:
Set-ExecutionPolicy Unrestricted -Force 
Install-Module -name PSWindowsUpdate -Force
Hide-WindowsUpdate -KBArticleID KB5034441 -AcceptAll

Works like a charm. Can also run: Get-WindowsUpdate -IsHidden to show which patches are hidden on the computer.

On another note, has anyone noticed a trend lately of more computer systems blue-screening – I have in the past few weeks has about a dozen computers run into this problem Varios BSOD stop errors but all have similar resolutions: Run Verifier.exe /reset (or verifier /bootmode resetonbootfail) to get the systems to stop having BSODs.
In the words of Elmer Fudd, dere’s something skewy going on here!

2 users thanked author for this post.

windbg, kewlputergeek

Reply | Quote

Joost van Haaren wrote:

On another note, has anyone noticed a trend lately of more computer systems blue-screening

Now that you mention it, I haven’t seen a BSOD in many years.  I wouldn’t have bet anyone $5 that I could go a year without seeing one.

Thanks for the Verifier tip in the event my streak of good fortune ends soon!

1 user thanked author for this post.

Fred

Reply | Quote

My SyncroMSP RMM monitors for BSODs – especially since I’ve seen a few tickets from clients – so now when it happens, the alert automatically runs a bluescreen application to analyze the stop/dump and tell me what driver/thing caused the bsod.  Most all of them lately have been due to bad driver or unsigned one – and the Verifier tool helps resolve it for the most part.

Thanks!

3 users thanked author for this post.

kewlputergeek, MHCLV941, Fred

Reply | Quote

Thanks for the blog, good work.
The Verifier.exe, can you publish more about this ‘lifesaver’ pls?
(or give some directions)
Thanks in advance

* _ ... _ *

3 users thanked author for this post.

kewlputergeek, MHCLV941, Cybertooth

Reply | Quote

https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/driver-verifier

Driver developers use this tool when writing and debugging drivers for Windows.  MS says Caution:

• Running Driver Verifier could cause the computer to crash.
• You should only run Driver Verifier on computers that you are using for testing and debugging.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

2 users thanked author for this post.

satrow, Fred

Reply | Quote

There have been cases of verifier leaving a PC in an unusable state, almost all BSOD helpers still give info on how to set it with a safeguard and howto to enable recovery.

Bailout info here (PDF mentioned in the topic appears to be inaccessible now, have flagged it up for the author).

Reply | Quote

Now that you mention it, I haven’t seen a BSOD in many years.

Ditto

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

TechTango wrote:

Now that you mention it, I haven’t seen a BSOD in many years.

Ditto

You just had to go and say that out loud, didn’t you!!??  😉

Reply | Quote

MHCLV941 wrote:

TechTango wrote:

Now that you mention it, I haven’t seen a BSOD in many years.

Ditto

You just had to go and say that out loud, didn’t you!!??  😉

Whaha

* _ ... _ *

Reply | Quote

Question for all!

I have a few clients running on Windows 10 22H2 that have seen a significant slowed performance after the June 2024 Patches.  When we uninstalled the 5039211 patch it resolved the issue but then MSFT pushed the 5037768 patch that you can’t uninstall and the performance issue is still apparent.  I’ve tried running sfc and dism scans to fix but hasn’t helped.  I’m about to suggest a rebuild but that will be a PITA and cause hardship to the client.

Any ideas/thoughts on how to address/fix this problem?  (again it’s happened to at least 2 clients at same office).

Thanks

Joost

1 user thanked author for this post.

Fred

Reply | Quote

[Fred]

One I chased such a incomprehensible unrepairable fault.
Got it solved by running and repairing with chkdsk ALL partions on the hard disk, including the RE and UEFI parts.
Somewhere there was a file error + a error in the Bitmap. How come? History didn’t tell.
Than repaired the RE with various Dism commands to rebuild RE; the Bitmap of the UEFI part was repaired by chkdsk.
After that a repair install made it right. (Many hours later).

* _ ... _ *

• This reply was modified 8 months, 3 weeks ago by Fred.

Reply | Quote

Joost van Haaren wrote:

Any ideas/thoughts on how to address/fix this problem?

In many cases repair/install will fix many of Windows OS problems

Reply | Quote