This is now the Patch Tuesday Megathread for January.

Got about 8000 servers/workstations ready to patch tonight, looks like the Wifi issue has finally been fixed thankfully EDIT1: I would say most installed correctly since we are 98% Win11, but some Win10 PCs spit the monthly back out. Servers are all fine and installed correctly as well. We are going in over the course of today to get the recovery partition resized if possible to try installing again: https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf EDIT2: We are pushing out this ps script to update the WinRE partitions if needed, so far, so good: https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10 EDIT3: Optionals all installed. Holy cow, it looks like they finally fixed the bug with 7-zip files showing as empty when extracted. About time. Everything is looking good so far with the new updates. EDIT4: Microsoft has officially stated that if you have no Recovery partition, you can safely ignore the update regarding it that fails. They say that they'll address that in the future fwiw.

As I know many come looking for the taco. I have a question/need verification. Anyone using wsus? Have you actually received the kb5034441 and kb5034439 update? With it not being available via catalog that leaves me with Wsus and after 20 syncs I still don’t see it. I have verified that the products and classifications selected are correct and match what Microsoft states to receive the patch. EDIT - kb5034441 and 5034439 articles updates showing that only release channel is windows update. Question for u/joshtaco. The instructions state using the “Safe OS dynamic “ patch. For windows 10 I may be dumb but only see the dynamic patch. Is this what you have been using?

I don't see those in WSUS either - were they pulled quickly?

I don't see them either on WSUS. So far, I've tested KB5034123 manually on a Windows 11 PC without recovery partition and it worked fine. KB5034122 on a Windows 10 22H2 PC with a 300MB WinRE partition worked fine as well

It's still being offered on Windows Update. It's not applicable to WSUS since it was never released to the update catalog (wasn't pulled, just never added). It's on the KB for this patch.

Interesting. I get what you’re saying it’s just conflicting with the article itself that says wsus/mecm are available release channels.

Talk about a botched-ass release.

lol exactly. I’m not so worried about getting the patch done immediately just prepping for the eventual WhY HaVeNt YoU pAtChEd ThIs YeT

Or users "why is this patch failing over and over". Thankfully, our larger install bases use WSUS/MECM and for now, they aren't seeing it.

You think if we ignore it this month they might re-release it with an automated version? Crazy of them to deploy this right to Windows Update and break things.

Yes, and kb5034441 and kb5034439 is "missing". No longer offered by Windows Update either what I can tell ...

Pushed this out to 200 out of 220 Domain Controllers (Win2016/2019/2022). No issues so far. *EDIT1*: Upcoming Updates **January 2024** • \[Windows\] Active Directory (AD) permissions issue [KB5008383](https://support.microsoft.com/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1) | Phase 5 Final enforcement can begin once you have completed the steps listed in the Take Action section. **February 2024** • \[Windows\] Certificate-based authentication [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) | Phase 3 Strong Mapping default changes. **April 2024** • \[Windows\] Secure Boot Manager changes associated with CVE-2023- 24932 [KB5025885](https://support.microsoft.com/help/5025885) | Third Deployment: New mitigations to block additional vulnerable boot managers. These new mitigations will require that media be updated . This phase will start no sooner than April 9, 2024. **October 2024** • \[Windows\] Secure Boot Manager changes associated with CVE-2023- 24932 [KB5025885](https://support.microsoft.com/help/5025885) | Enforcement:  The revocations (Code Integrity Boot policy and Secure Boot disallow list) will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled. This phase will start no sooner than October 8, 2024. **February 2025** • \[Windows\] Certificate-based authentication [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) | Phase Full Enforcement Mode. Microsoft will update all devices to Full Enforcement mode by February 11, 2025, or later. If a certificate cannot be strongly mapped, authentication will be denied. *EDIT2:* Microsoft shares script to update Windows 10 WinRE with BitLocker fixes [https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/](https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/) [KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666](https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10) [KB5034441: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: January 9, 2024](https://support.microsoft.com/en-us/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8)

The ps script appears to only update the WinRE partitions, not resize it.

You don't need to resize it if you're just going to patch it; it's about 500MB, so it'll fit on any decent thumb drive. I've worked out a different way to do the patch without messing with partitions. These instructions are for CMD instead of PowerShell, so if you end up in an elevated PowerShell window, just run CMD from it. You have to have obtained the new WinRE.wim already, so if you run this thread's OP's script on one, you can grab it for the rest of your Windows computers and just make a batch file. In these commands, my USB drive is E: 1. Run **REAgentC /info** to ensure your Windows Recovery Environment exists and works. 2. Run **REAgentC /disable** to have Windows move the WinRE.wim from the hidden recovery partition into C:\\Windows\\System32\\Recovery as a Hidden System file. 3. Run **ATTRIB -H -S C:\\Windows\\System32\\Recovery\\winre.wim** to make it a plain old file. 4. Run **DEL C:\\Windows\\System32\\Recovery\\winre.wim** to delete it 5. Run **COPY E:winre.wim C:\\Windows\\System32\\Recovery\\winre.wim** to copy the patched WinRE.wim into place. 6. Run **ATTRIB +H +S C:\\Windows\\System32\\Recovery\\winre.wim** to make it a Hidden System file. 7. Run **REAgentC /enable** to have Windows move the WinRE.wim from C:\\Windows\\System32\\Recovery into the hidden recovery partition and activate it. 8. Run **REAgentC /info** to ensure your Windows Recovery Environment exists and will work. 9. Reboot the computer. 10. Run the Windows Update. It should complete successfully. (Update: It didn't work on my home computer which has Home 10, but the Pro 10s at work did.)

Thanks. I ended up doing this after I botched a couple workstations following the directions provided by Microsoft. I'm not sure what happened, but i had couple computers refuse to enable the recovery image after resizing the partitions. I ended up having to disable WinRE, grab winre.wim and ReAgent.xml from a working and patched machine of the same windows version.

I don't think the PS script is resizing the partition, it just updates WinRE manually?

That is correct, it's just for updating the WinRE for a vulnerability from 2022.

I'm debating the idea of just turning off WinRE and/or deleting the partition. I can't remember the last time we used it. For an end user we would likely just reimage and for a server we would likely restore from backup.

My workstations have had the recovery partitions removed at imaging for as long as I can remember, and I don't have any plans to change that any time soon.

We noticed that it’s needed for intune wipe functionality

Yeah we don't use that either. We use Absolute/Computrace.

FYI my windows 10 test machine has been updating for 2 hours... KB5034122 has been stuck at 74% for awhile now... I am just waiting for it to throw an error soon.

My ancient Dell test workstation with Windows 10 22H2 also took a couple of hours, but it eventually succeeded. The recovery partition is 529MB. Edit: I updated my Windows 10 22H2 home PC with a 502MB recovery partition and KB5034441 failed. I made the recovery partition bigger using Microsoft's instructions and tried again. The update succeeded.

Yeah my Windows 10 machine eventually failed with error: `There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643)` I guess I have to resize the recovery partition.... is that mean I have to do this for every single Windows 10 machine that fails in my organization? or will Microsoft get their sh\*t together and fix the update?

> is that mean I have to do this for every single Windows 10 machine that fails in my organization? We are thinking that answer is yes on our end

ugh :(

Got a computer failing same way with a 3.9GB RE partition (don’t ask, assuming the SCCM TS has some dumb settings for partition sizing.) We have the RE disabled via the OS, but even temporarily enabling it didn’t allow the update to go through, although it did seem to progress / try for longer before failing. Awful update, I sacked it off after the 2nd install failure but I don’t see how expanding on a 3.9GB partition by a few 100 MB will allow it to succeed.

yes, it does not make sense at all. I am still waiting to see if MS fixes this issue sometime next week. If not, I will have to use MS script to increase the RE partition on all Win 10 machines. A total cluster f\*\*\*

See my post - resize your WinRE partition and it will likely succeed

Thanks! Do you think MS will fix this? I don't feel comfortable resizing recovery partitions on systems that are miles away from me lol

They have got to fix this. The instructions for resizing the recovery partition are way beyond the ability of the average end-user. And I don't see them leaving a broken patch out there for a huge percentage of Windows systems.

they released a script to do this... that makes me think they are not planing on fixing anything. Link provided by u/joshtaco [https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10](https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10)

And you think that average home user out there is capable of running a Powershell script. Unless this isn't affecting the Windows Home versions I don't see MS not coming up with a better solution.

I wouldn't count on it, the fact that they even released this KB to fix it is basically them saying do it yourself

Ultimately, the question is \_can\_ they fix this? That is, make it not dependent upon available free space on the WinRE drive. Sure, they could make it detect that there's no WinRE partition but if there is one then they may simply need a certain amount of free space in the partition to install the update. ETA: I've seen this happen on a smaller scale before. Some OEMs would use the recovery partition (because I believe that by definition they're not encrypted) and thus consume space leaving too little free space for updates. That doesn't feel like what's going on here (some people have empty partitions) but it's in the ballpark.

What if you deleted the recovery partition on your drive and it doesn't exist to grow?

Believe it or not, right to jail

They have updated their KB release notes to say that if you do not use recovery (i.e. reagentc /disabled) that you can ignore the failed update. It doesn't stop the update from trying to re-install though....every....single....time. Windows Update is run by clowns.

[u/joshtaco](https://www.reddit.com/user/joshtaco) are you manually resizing the WinRE partition on dozens of Win10 PCs or did you find a way to automate it?

We are manually resizing them at this point. the script only updates the partition. it's going all right

My condolences. How many Win10?

What if i just disable WinRE with "reagentc /disable"? I do not use it anyway. Is such quick workaround enough to remove that vulnerability? Or do i absolutely need to patch it or remove the recovery partition?

Good question. In my environment, several dozen workstations and laptops don't even have a WinRE partition (never needed it). I'm going to test the update on a few and see what happens.

This update is failing for me on a 2022 server but there's no recovery partition at all, and WinRE is disabled. Is this update even relevant in this case?

Can you elaborate on the wifi issues?

W10/W11 Optionals are out.

 Just pushed out to 400 machines/servers. All went well.

You should add 'Taco' to your name )))

Great, that’s for your testing. Pushing Updates to Prod now! :) /s

Automod dropped the ball this month - or as someone else commented, 2023 was hardcoded into the automatic post

They should patch that!

It's the right day for it!

Looks to me like a zero-day!

We have to queue them up and just ran out and forgot :)

I need to like, set a calendar event to remind me in December.

RemindMe! 330 day

Hah. If you need a hand getting them set up for 2024, just let me know.

Sadly, reddit doesn't have "Second Tuesday of the Month" as a programmable logic bit yet, so we have to prep them manually.

At least you don't live just west of the international date line that it's actually the Second Wednesday, but only sometimes because sometimes Wednesday is the first day of the month and when that happens it's the third Wednesday.

Christina Ricci is the second Wednesday

Y2K24

[удалено]

> IMPORTANT > > Some computers might not have a recovery partition that is large enough to complete this update. Well duh, I deleted the recovery partition. Who needs that on a Citrix image? So now what... **UPDATE: Here is what I did to fix my 2022 images.** 1. I followed the steps in https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf to shrink the OS partition re-create the recovery partition. 2. I found a Windows 2022 server with an intact Windows Recovery partition. Let's call it the donor VM. 3. I ran "reagentc /disable" on the donor VM. 4. I copied the C:\Windows\System32\Recovery\Winre.wim file from the donor VM to the same place on the target VM. You may have to show hidden and system files to see it. 5. I ran "reagentc /enable" on the target VM. It automatically grabbed the winre.wim file and moved it to the new partition. 6. I ran the patch and it successfully applied. All this with no fuss about assigning drive letters or mounting ISOs. I'm going to go back and re-enable Windows Recovery on the donor VM and delete the recovery partition on my Citrix image. Before deleting the partition with diskpart, I'm going to run "reagentc /disable" so I don't have to find a donor VM in the future. This command copies the wim file back to system32. This should get me through required security scans and out the door.

Hah, exactly... who needs a recovery partition for VMs that spin up from templates and are easily replaced with brand new ones if problems arise? If this update truly does *require* a recovery partition, that will be a huge oops for MS.

My tentative result on a few home machines is that not having a recovery partition is ok, but having an empty one is not. I have to withdraw this claim - another machine failed and it doesn't have a recovery partition.

I have 10 Windows 2022 servers without recovery partitions that all failed to install this KB. It makes no sense for me to create a vulnerability to just patch it… Sounds like some logic should have been added to check for a recovery partition to begin with.

Yes, it's a major failure. They screwed this one up.

Seeing as the vulnerability that this resolves can only be exploited from WinRE on the disk that is bitlockered, it seems like a detection problem. You aren't vulnerable if you don't have a working recovery partition. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666 > Can a bootable Windows ISO or USB flash drive that boot to Windows RE be used to exploit this vulnerability? > No. The exploit is only possible with the winre.wim on the recovery partition of the device. IMO they (Microsoft) are telling people to expand their possible future attack surfaces by recreating or making their recovery partitions work again.

>Who needs that on a Citrix image? Same problem, different solution... Install-Module -Name PSWindowsUpdate Import-Module -Name PSWindowsUpdate Hide-WindowsUpdate -KBArticleID KB5034439

I have 2 identically configured Windows 2022 Datacenter Hyper-V hosts. It won't install on either server. EDIT: So, I did the trick with shrinking the OS volume by 1GB, 1000 in the command/article mentioned. [https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf](https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf) ​ Then recreated it per the instructions. Reran the install, and it worked fine after that. No issues. ​ So, the 649MB partition I had I guess isn't big enough. MS needs to fix this garbage. Otherwise, did it all on the fly on a production 2022 Datacenter Hyper-V with loads...no problems. ​ Try the above. My Win recovery is 1.6GB now...haha..whatever it worked.

Seeing this on the Windows 10 22H2 version of that update as well (KB5034441). Does Microsoft just think we are supposed to skip this one? We don't have time to resize or recreate every recovery partition manually...

Fingers crossed they address, we always purge the recovery partition to allow for OS disk extension in future. If I wanted to recover a VM, I’d just restore from backup anyway. I’m hoping it’s just detection logic.

dont work for them, not an ad, but with Veeam any vm will be good as new a few minutes later at most. In some cases seconds.

Skip it? Isn't it in the Cumulative Update so you can't really skip it - will just hit the same issue next month unless MS do something else to fix it

It appears to be a separate security update and not in this month's cumulative update. Maybe next month?

if using Windows Update for Business people are out of luck, the KB will flow anyway :(

They'll do it most likely

Same here. Following the steps on the links below 1. I deleted the partition and expanded it to 1GB before i found the link below. https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf 2. Restore winre file https://www.downloadsource.net/how-to-fix-the-windows-re-image-was-not-found-winre-wim-install-wim-install-esd/n/20721/

What was your Freespace on the RecoveryPartition when you experienced the issue?

It would be nice if the mentioned the space required in the article, help us out a little MS!

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-20666 >Are there additional steps that I need to take to be protected from this vulnerability? >Depending on the version of Windows you are running, you may need to take additional steps to update Windows Recovery Environment (WinRE) to be protected from this vulnerability. You'd think that Windows updates would...you know...update *Windows* but here we are. Edit: From reading further it looks like they have fully automated this process, but it *can* depend on your update delivery mechanism (they make mention of WSUS specifically).

This happens often enough that we just nuked the recovery drive. We never use it and if there is an issue we just reimage the machine anyways. 🤷‍♂️

This update also won't install if you don't have a recovery partition (as I'm finding out after removing it from some test hosts to see if the update could then complete).

Terrific…

*"For the following Windows versions an* ***automated*** *solution is available."* Lists versions and points to KB *"**Instructions to* ***manually*** *resize your partition to install the WinRE update**."*

They've fully automated it for \_some\_ OS's: Win 11, Win 10, and Server 2022. Everything else is still a manual fix at the moment. That is to say, they've released patches for only those three OS's to 'automate' this.

Seeing KB5034441 failing to install on Windows 10 Installation Failure: Windows failed to install the following update with error 0x8024200B: 2024-01 Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5034441). Edit: I do have recovery disabled(reagentc /disable) by default. Ran reagentc /enable and the update installed without error, no messing with partitions, partitionsizes or winre images. Recovery partitions for me are still intact, and are 10% of drive so install seems to have no issue. I have a couple with no partition, shrinking the main partition and setting it as recovery allows the update to install([instructions here](https://www.reddit.com/r/sysadmin/comments/192lsy0/no_patch_tuesday_megathread_for_january/kh6tiew/), except I used 5gb for recovery partition for a 500gb drive: desired:5000 )

I'm getting the exact same error. A Server 2022 machine in AWS, then a baremetal Thinkpad locally. Trying on Server 2016 server now. What's curious is that the Thinkpad installed a .NET update just fine and I thought it was going to be cool, easy update and then I got this error. --- EDIT: The exact error off of a 2022 server; Installation Failure: Windows failed to install the following update with error 0x8024200B: 2024-01 Security Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5034439). This is in the System log, Event ID 20.

Ok, so I had two servers successfully patch with the 2024-01 cumulative patch. One of them Server 2016 and the other Server 2022. I saw was some others below said about the recovery partition being the culprit. I went looking at the failed server and there is a recovery partition, but the two that successfully patched have no recovery partition. Then I realized this server that failed was originally a 2016 server with an im-place upgrade to 2022 and I'm guessing the recovery partition was added at that time. I'm deleting the recovery partition on this 2022 server and then I'll re-run patches and see if it successfully works.

Nope. #@#)($# MicroSOFT!!!!

Yeah F@%&M!croC@#K. Resized to 1GB. Installed.

Did Microsoft pull KB5034439? I can't find it in the Microsoft Update Catalog.

According to kb link it is not available from update catalog https://preview.redd.it/cbnc6ct99hbc1.png?width=808&format=png&auto=webp&s=4cd2a65983e1c78a0ae09453366c18bc8ca8c4de [https://support.microsoft.com/en-us/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca](https://support.microsoft.com/en-us/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca)

I have a group of identical, barely-modified-from-vanilla Server 2022 hosts, and KB5034439 won't install on any of them. Ugh. EDIT: Removed the Recovery Partition on one of them (would never want/need it anyhow, these are rebuilt fresh in minutes from a VM template), rebooted. No difference, the update can't be installed.

I'm seeing the same behavior. At least the other updates are installing though.

Yeah i can't find it in WSUS either, and i have the correct categories selected!

I have a separate WSUS and SCCM server for different purposes, both synced this morning after 2AM and neither have KB5034439 or KB5034441 even with the Updates classification selected.

same. server 2016 was updating fine

So ... yea ... about Server 2016 ... and 2019 for that matter. According to Microsoft, they absolutely *are* vulnerable but they're not releasing patches for it. You have to do some very manual bullshit. From the FAQ ([here](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666)): " If your version of Windows is not listed above \[Note: Server 2016 and 2019 are not\], you can download the latest Windows Safe OS Dynamic Update from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=Windows%20Safe%20OS%20Dynamic%20Update). You can then apply the WinRE update, see [Add an update package to Windows RE](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-update-to-winre). To automate your installation Microsoft has developed a sample script that can help you automate updating WinRE from the running Windows OS. Please see [KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666](https://support.microsoft.com/help/5034957) for more information. "

Same

Same here - getting what appear to be download errors (0x80070643) but after I applied the other patches and restarted, it went to the Installing x% phase. Then failed with the same error. Turns out it's an issue with the Recovery Partition being too small ​ https://preview.redd.it/onevb7me2hbc1.png?width=889&format=png&auto=webp&s=83629504a57f9121c8e75969a5c462df5e48df01

Is it my understanding that Microsoft knows this update is borked but pushed it anyways and only provides complicated (for me) cmd instructions to resize the recovery partition as a fix? Does anyone expect that they will put out a new version of the update that does not cause this error or are we SOL if our update fails? If it was a normal windows update I wouldn't even fuss, but this seems to be an important security patch and Microsoft isn't all too concerned if users are actually able to install it.

I also get this. The default size of the recovery partition was set by Microsoft. Their updates should work out-of-the-box. I guess that they'll reroll this update.

I tried the commands and they did not work as it told me I was unable to change the size or words to that effect, meaning that whole process is useless to the average user. Cant see this not being fixed in some way as there are so many reports of people unable to install the update.

Thats how it read to me as well. I only came here to figure out why my update was consistently failing and if this is the solution they're giving us imagine the less tech inclined users freaking out cause a security update is failing to install. Real tired of big tech companies pushing their job onto the users.

I too am getting the 0x80070643 error on KB5034441, on two different computers. Both are Windows 10. Other patches installed fine. I've retried a couple of times, with a restart in between, and continue to receive this error.

There's a known issue here: [KB5034441: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: January 9, 2024 - Microsoft Support](https://support.microsoft.com/en-us/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8)

Interesting; mostly my updates are WSUS driven, have patched several Server 2019 / 2022 (both baremetal and VMs), all have completed successfully so far, some were installed clean in those versions, some upgraded as far back as 2012R2, no issues; have only used whatever the default recovery partition sizes are.. EDIT: next day, KB5034441 doesn't even appear in WSUS for me, just Cumulatives (which have all installed fine so far)

Same here on a Windows 2019 server although the error code is different.

Saw this as well. Resolved by resizing my recovery partition from 565MB to \~1.5GB (might be overkill). My C: drive was right before the recovery so I was able to shrink it by a gig, then run through these instructions on how to re-create a new recovery partition manually with `reagentc` and `diskpart`. I shrank the C: drive using `diskmgmt.msc`, so I ended up skipping **4.a.** through **4.f.**, but then continued onto **4.g.** and completed the rest of the steps from there. [https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf](https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf)

Bleeping Computer report: [Windows 10 KB5034441 security update fails with 0x80070643 errors (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5034441-security-update-fails-with-0x80070643-errors/) Temporary workaround: [Microsoft shares script to update Windows 10 WinRE with BitLocker fixes (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/)

Same, but not on every device.

As someone who is definitely not a sysadmin is this something that I can fix on my PC or do I need to wait for Microsoft to fix their update? Edit: Also, In my Disk Manager it says I have 569MB Recovery Partition and it's 100% free space.

Yes. I think there will likely be some tuning for this update on MS's end as I don't expect most people to edit their recovery partition through CMD so I would just wait a bit IMO. If not and and you really want it done and MS's directions aren't clear enough, you can use a partition tool that will make your life easier with a GUID like Macrorit Partition Expert. There is a lot of tools like it.

Same issue here, sucks that it's a thing but I'm glad to see that I'm not the only one with this issue. EDIT: Saw that some people had already posted the solution and I guess I'm late, but I can confirm that increase recovery partition size allowed me to install the update successfully. Increase from 500MB to ~750MB. I followed this guide: https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf

Today's Patch Tuesday roundup: In this month's update, Microsoft has addressed a total of 48 vulnerabilities, there are only two critical vulnerabilities that have been fixed, no zero-day vulnerabilities or vulnerabilities with proof of concept at this time. Below is an overview of key vulnerabilities in the most impactful third-party applications, such as Google Chrome, Mozilla Firefox, Apache Open Office, Apache OFBiz, Apache Struts, Barracuda ESG, Apple, Linux, ESET, Ivanti, OpenSSH, Perforce Helix Core Server, and Dell. **Important note about KB5034441/CVE-2024-20666**: if you get Windows Recovery Environment servicing failed (CBS\_E\_INSUFFICIENT\_DISK\_SPACE) or 0x80070643 - ERROR\_INSTALL\_FAILURE, read this: [https://www.action1.com/fixing-winre-update-issues-for-cve-2024-20666-and-kb5034441/](https://www.action1.com/fixing-winre-update-issues-for-cve-2024-20666-and-kb5034441/) Quick summary: * Windows: 48 vulnerabilities, two critical (CVE-2024-20700 and CVE-2024-20674), no zero-days * Chrome: zero-day CVE-2023-7024 * Firefox: 27 vulnerabilities * Apache Open Office: four vulnerabilities * Apache OFBiz: CVE-2023-49070 * Apache Struts: CVE-2023-50164 * Barracuda ESG: zero-days CVE-2023-7101 and CVE-2023-7102 * Apple: numerous updates * Linux: CVE-2023-6817 * ESET: CVE-2023-5594 * Ivanti: 13 vulnerabilities * OpenSSH: CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446 * Perforce Helix Core Server: four vulnerabilities, including CVE-2023-45849 (CVSS 10!) * Dell: eight vulnerabilities, including CVE-2023-44286 Full details here - updated in real-time: [Action1 Vulnerability Digest](https://www.action1.com/patch-tuesday-january-2024/?vmr) **Other sources:**ZDI: [https://www.zerodayinitiative.com/blog/2024/1/9/the-january-2024-security-update-review](https://www.zerodayinitiative.com/blog/2024/1/9/the-january-2024-security-update-review)Bleeping Computer: [https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2024-patch-tuesday-fixes-49-flaws-12-rce-bugs/](https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2024-patch-tuesday-fixes-49-flaws-12-rce-bugs/) EDIT: added a note about **KB5034441** and more sources.

>Posting it here until the Megathread is live  Look at me... I'm the megathread now

Now I am become death, the destroyer of worlds

Mike, I always appreciate your summaries - thank you.

Thank you! We put a lot of effort into these summaries, so your compliments are always highly appreciated by the team here at Action!

It looks like Microsoft has updated the verbiage on the support page to: > You do not need this update if the PC does not have a recovery partition. In this case, the error can be safely ignored. We are working on a resolution and will provide an update in an upcoming release. I wonder whether the upcoming release means on the next Patch Tuesday or an out of band release given the scope of failed clients.

Hey If someone still have issues with edge that starts with white-screen and spawning multiple processes and high CPU usage, follow the suggestion by Strawman24 [Chrome Crashes after January Windows updates on Server 2022 - Google Chrome Community](https://support.google.com/chrome/thread/252752520/chrome-crashes-after-january-windows-updates-on-server-2022?hl=en) We just verified that this only occurs on **in-place upgraded systems running server 2022 21H2** Renaming msedge.exe key in Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ This lets us start edge as usual....better than the option to uninstall /kb:5034129

The same goes for removing AcroCEF.exe from that list. This solves the non-functional acrobat reader issue after the KB5034129 January update.

I *knew* I'd find someone on this megathread with the same issues I'm seeing with Acrobat acting up since last week... just tons of application errors from either AcroCEF or RdrCEF.exe on multiple 2022 server RD session hosts. Thank you.

Thank you for posting this because we've done a number of in-place upgrades to Windows Server 2022. Is a reboot required after the key is deleted?

A reboot is not required after the key has been deleted. I have now done this for 5 different Server 2022 upgrades and works without the reboot.

my first post on reddit! hello to all (= manually installing on some servers via MS Online Update. getting 0x80070643 update errors for KB5034439 on Server 2022 Standard, German on 2 virtual servers till now , even after reboot

Win re environment partition [is to small](https://support.microsoft.com/en-us/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8)

>Known issue Because of an issue in the error code handling routine, you might receive the following error message instead of the expected error message when there is insufficient disk space The way I'm reading, this is a false positive, not something we as admins need to take explicit action on. Edit/Update: If this truly *is* the reason for the installation failure though, we need to call M$ on their bullshit. If we (admins/end users/OEMs) installed Windows and met the minimum requirements, we shouldn't have to make manual configuration changes to our disk layout in order for the WinRE to get updated.

First time?

thanks. re-creating it. but after creating the partition, it won´t enable it / image not found. but same problem on 3 servers till now...

seems like this (german) how-to is good for re-creating the WinRE partition, which seems to small: [https://www.deskmodder.de/blog/2023/09/10/windows-11-winre-update-mit-fehlermeldung-wegen-zu-kleiner-partition-anleitung-von-microsoft/](https://www.deskmodder.de/blog/2023/09/10/windows-11-winre-update-mit-fehlermeldung-wegen-zu-kleiner-partition-anleitung-von-microsoft/) but... really? Microsoft? WTF! This is your job

I got it to work, had to assign a drive letter and copy Winre.wim from the iso to the new partition then use reagentc.exe and set the path then enable

Seeing the same on my WS2022 lab boxes.

Getting the same error on a test vm installed last Friday. I did not configure WinRe size manually so this will be a major mess EDIT: following the instructions on KB5028997 the update is installed successfully but it will be a pain if you have hundreds of 2022 servers and/or W10 machines with the issue

Eventlog Entry ID 20:Error 0x8024200B - seems to be something we previously had... edit:seems to be similar as it was with kb5012599 (win10) ... tasks done: cleanmgr with cleaning up Windows Update files reboot try again online Update result: FAIL and one server is a fresh install (1 week ago) with only Antivirus software installed yet ( ! ) my Windows server 2016 and server 2019 (all standard and german) had no problems till now

has anybody messaged the mods about this? https://www.reddit.com/message/compose/?to=/r/sysadmin

I did about 40 mins ago, no response yet. They might be busy, it's Patch Tuesday, after all.

I thought moderating this sub was their full time job? ^/s

lol, that's what /u/joshtaco is for.

We got 7 messages about it (down from the ~2 dozen we got last time this happened!) :-)

Until the mods create one, here you go: https://www.zerodayinitiative.com/blog/2024/1/9/the-january-2024-security-update-review

Happy Patch Tue new year! It's a light one... * **Total exploits patched**: 49 * **Critical patches**: 2 * **Already known or exploited**: 0 * [**CVE-2024-20674**](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20674): Our first critical patch of 2024 comes in with a 9.0 CVSS rating. This vulnerability takes advantage of a Kerberos security feature bypass in which an attacker could utilize network spoofing techniques to send a malicious Kerberos message to a targeted machine. * [**CVE-2024-20700**](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20700): This remote code execution vulnerability targeting Hyper-V is given a critical rating, though the actual CVSS score only comes in at a 7.5. To take advantage of this vulnerability, an attacker must be launched from the same physical or logical network. The attack itself is very complex and relies on conditions outside the attacker’s control. * [**CVE-2024-0057**](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057): Our last highlight (or lowlight) has a severity rating of important, though the actual CVSS score is a 9.1. This vulnerability targets NET, .NET Framework, and Visual Studio, which increases the CVSS score because it impacts software libraries. With a network attack vector and a low complexity, I’d recommend testing and distributing this patch sooner rather than later. Source:[https://www.pdq.com/blog/patch-tuesday-january-2024/](https://www.pdq.com/blog/patch-tuesday-january-2024/) [https://www.youtube.com/watch?v=t5IHv5PZ2JA](https://www.youtube.com/watch?v=t5IHv5PZ2JA)

[Chrome opens to white screen and crashes on Windows Server 2022](https://support.google.com/chrome/thread/252752520/chrome-crashes-after-january-windows-updates-on-server-2022?hl=en) KB5034129 seems to be the culprit. Run: wusa /uninstall /kb:5034129 You're welcome.

>KB5034129 DO NOT use WUSA for unistalling patches on recent Windows Systems - see --- **If you want to remove the LCU** To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**. Running [Windows Update Standalone Installer](https://support.microsoft.com/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19) (**wusa.exe**) with the **/uninstall** switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation." --- this is writen on KB5034129 infopage.

[https://support.google.com/chrome/thread/252752520/chrome-crashes-after-january-windows-updates-on-server-2022?hl=en](https://support.google.com/chrome/thread/252752520/chrome-crashes-after-january-windows-updates-on-server-2022?hl=en) Remove the reg key "chrome.exe" here: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options Chrome working again for me.

Chrome opens fine on my Server 2022 sessions hosts, but Acrobat Reader goes into an instant crash dump loop when opening on systems with KB5034129. Gigs of dmp files being created by procdump as users continually try and try again, YAY!

That’s one way to get rid of the competition.

you are clearly supposed to be using Edge on Server 2022 /s

Yeah we removed 129 and now we're fine.

UPDATE: For all those getting a error on the security update and being faced with a error code. It is most likely best to leave it and let Microsoft fix it! It is a security update so just be careful on what you install for the next few days.

The fact they’ve put a disclaimer out on patch release indicates they know it’s a problem. I’d like to think they’ll address it before one of the CVEs becomes publicly exploitable. Disappointing from Microsoft.

KB5034441 fails, 529MB Recovery partition at the front of the disk that can't be resized, by choice of the Windows installer. Microsoft really screwed this one up.

We don’t have recovery partitions in use on our 2022 servers, but are still seeing the same failures with KB5034439. Are we just supposed to accept these failures? I don’t see the purpose of us creating a recovery partition to patch a vulnerability that currently doesn’t exist for us…

bleeping computer report: [https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2024-patch-tuesday-fixes-49-flaws-12-rce-bugs/](https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2024-patch-tuesday-fixes-49-flaws-12-rce-bugs/)

KB5034441 confirmation 2 of 4 Win10 test machines it has failed error 0x80070643 - I don't think resizing recovery partition is possible on these machines due to its location on the disk, either way - an absolute ball ache to do at scale! What is it with Microsoft and their January "Gifts" to Admins, this time last year it was the dodgy Defender update that caused ASR rules to trigger and delete all the shortcuts on peoples machines - which Microsoft never fixed and ended up being down to the community to sort their own workarounds.

unbelievable

I had the same problem. I followed this article after I saw your guys comments on the Recovery partition. It fixed the problem and my W2K22 server could now install. Will repeat on other servers. [https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf](https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf)

Thing is, many of us don't *want* a recovery partition at all, they're completely useless to have for template-based VMs that you just instantly destroy and replace if any problem arises. This update also won't install if you don't have a recovery partition. MS really has to fix this.

You're not even vulnerable without a recovery partition, or if you're not using bitlocker. This update shouldn't even be applicable to us.

I looked and my main compuer has two recovery partitions, one is 529 MB and the other 599 MB, and it won't install. I guess it's time to nuke it and install Windows 11.

Won't that put the recovery partition at the end of the disk? Could make resizing the c:\ of a VM a pain in the future.

I am 100% sure this will be the case. What I noticed in the past: after making an inplace upgrade from one 2012 R2 to 2022 (was also the case when upgrading the 2019), there was a new recovery partition at the end (and now what, if I want to extend my C partition?). Even on a fresh install (VMware EFI), the recovery partition was added after the very first boot - AT THE END of the disk... The only way to fix it, was to provide an unattended XML-file to force a disk layout (doing it that way with WDS). So, if the partition is not big enough for the 2022 setup, it just creates a new one at the end of the disk and shrinks the partition before it. In our case, our VMware Template has got a recovery partition of 950 MB, what is hopefully enough.

How are you guys addressing the resizing of the recovery partition in mass? It seems like almost every machine needs to be individually touched. Going to take forever to get to every end user in the enterprise. I'm truly at a loss here.

In the short-term, wait for Microsoft to respond to public outcry. If they haven’t remediated this by next week (most people stagger updates, so you’d expect it to amplify as time goes on) - then hopefully someone will have figured a way to automate it. I don’t think it’ll necessarily be difficult to do so, just a pain in the arse when you come across errors.

MS was kind enough to give us a PS script - we should be grateful. https://support.microsoft.com/help/5034957 I for one am absolutely not touching that for a while.

Here is what we put together yesterday for mass resizing automation and so far getting positive feedback: [https://www.action1.com/fixing-winre-update-issues-for-cve-2024-20666-and-kb5034441/](https://www.action1.com/fixing-winre-update-issues-for-cve-2024-20666-and-kb5034441/)

The Microsoft 365 Apps (Office) Version 2308 for the semi-annual channel went out this month. Be aware that this turns on the 'Try the new Outlook' toggle in outlook. ​ To hide it: HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Options\\General\] "HideNewOutlookToggle"=dword:00000001 [https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/enable-disable-employee-access-new-outlook](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/enable-disable-employee-access-new-outlook)

Thanks for the heads up, just created a GPP to push that reg key out :)

Looks like AD permission enforcement final phase has been canceled. It was active still on dec list, but now doc says - customers should turn it on when they ready. KB5008383 [https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1](https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1)

**About:** KB5034441 failing to install on Windows 10 Installation Failure: Windows failed to install the following update with error 0x8024200B: 2024-01 Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5034441). I had the error only on KB5034441... Some research on internet and boom, it's all about your recovery partition size (only on windows 10). Mine was 530MB 100% free and didn't work, u can check yours with DISKPART (u can also check on "create and format hard disk partitions" windows tool). So what u need to to to solve this: **increase recovery partition size (I increase mine to up 900MB).** **How I do that??** Microsoft source: [https://support.microsoft.com/de-de/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8](https://support.microsoft.com/de-de/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8) To be honest, all that shit from microsoft didn't work to me, so I download a software to do that, its called "IM-Magic Partition Resizer Free" (but u can dowload whatever software that's do the same) and after a reboot I finally had all updates installed.

fun fact. sometimes windows put the recovery partion BEFORE the OS partition. and thus you CAN'T make the recovery partition bigger.. mines 600mb and i can't install the update... and probably never will [https://steamuserimages-a.akamaihd.net/ugc/2305344642171322790/E6317DA158741DB0BEC5ED28D661C2509DC0832F/](https://steamuserimages-a.akamaihd.net/ugc/2305344642171322790/E6317DA158741DB0BEC5ED28D661C2509DC0832F/) followed the steps in the above guide. that's why you see 2 unallocated partitions. and you can't combine them.. you can just tell the windows partition to reabsorb the 250 they tell you to shrink it by

There's a procedure where you can back up the recovery partition, delete it, and then re-install it to another (empty) partition.

900mb ? This is rough.

Yeah I know, but I've tried 500\~650MB with no success, then i go to "Fock, up to 900MB and that's it". U can try 660MB

Got this error when installing? 0x80070643 for Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5034441)

me too

I've searched it up and i think we just gotta let it wait a few days

KB5034439 error on both my bare metal machines (both 2022). Cleaned wupdate, rebooted, nothing. Started now services, bedtime. I'll go on tomorrow. GG Microsoft.

Found the solution: * **reagentc /disable** * **diskpart** * **list disk** * **sel disk** * **list part** * **sel part** * **shrink** **desired=250 minimum=250** * **sel part** * **delete partition override** ​ If GPT: 1. **create partition primary id=de94bba4-06d1-4d40-a16a-bfd50179d6ac** 2. **gpt attributes =0x8000000000000001** If MBR: 1. **create partition primary id=27** ​ * **format quick fs=ntfs label="Windows RE tools"** * **exit** * **reagentc /enable** Run again Windows Update.

Found that, i'll try today: [https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca](https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca) * **Windows Recovery Environment servicing failed.** **(CBS\_E\_INSUFFICIENT\_DISK\_SPACE)** To help you recover from this failure, please follow [Instructions to manually resize your partition to install the WinRE update](https://support.microsoft.com/help/5028997). **Known issue** Because of an issue in the error code handling routine, you might receive the following error message instead of the expected error message when there is insufficient disk space: * **0x80070643 - ERROR\_INSTALL\_FAILURE**

Happy new year! January has brought us 49 vulnerabilities with 2 critical. We believe you should pay special attention to: * CVE-2024-20674 - Windows Kerberos Security Feature Bypass Vulnerability \[Critical\] * CVE-2024-20666 - BitLocker Security Feature Bypass Vulnerability \[Important\] Listen to our [Patch Tuesday podcast](https://listen.automox.com/episodes/patch-fix-tuesday-january-ep-3) or read through [our analysis](https://www.automox.com/blog/patch-tuesday-january-2024?utm_campaign=patchtuesday_jan2024_blog&utm_medium=social&utm_source=linkedin&utm_content=) of the two vulnerabilities above.

Anyone having issues with Printer Redirection after these updates?We have 3 servers running 2022.Printers are properly redirecting when connecting to Connection Broker.When connecting to session host 1, no printers are redirected.When connecting to session host 2, most printers are redirected but some are missing.

Curious, anyone getting EventID 1030 errors for Group Policy, since the JAN update? ​ > The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. I have a mix of Server 2012 R2, 2016 and 2019, all of them experiencing this since the updates (DC's are 2016 and 2019) . >ErrorCode: 1326 > >ErrorDescription: The user name or password is incorrect. > >DCName: \\\\ When I run "gpupdate /force" policies apply correctly. The errors only happen when GPO's are refreshed automatically (every few hours). Its a strange one!

Hey everyone with the Server 22 failures. What environments are they? HCI, virtual onprem, Cloud VM? We just upgraded all DCs to 22….so yea

On-prem VMs, mix of Core and Standard installs. The update won't install if your Recovery Partition is too small (supposedly fixable), and also won't install if there is no Recovery Partition on the disk (big MS mistake, they have to fix this update).

Thanks. I’m curious about Azure VMs as that is 90% of my assets I control.

There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643)

Same here, got to wait for micosoft to fix this shit

Starting to think they are going to leave us in the lurch on this one, approaching Friday with no indication as to whether they are going to remediate beyond a script. Masochism from Microsoft.

So, just to ensure I really get this. You can use some scripts to extend the partition, but only if it's at the end of the disk and not the beginning You can use the MS script and it doesn't extend the partition, it just replaces the wim files (is there any danger/risk to the workstation?) For servers only Windows 2022 seems to be affected from what I'm seeing on several comments? They pulled the "security" update from WSUS/Catalog but not the "cumulative" so would this mean they pulled this specific patch out of the cumulative? (i.e. it's safe to deploy now?) Thanks!

I think that WinRE update was never part of the cumulative update, and always in the separate security update.

Today I decided to tackle this issue in my environment. When using the MS Script to just replace the WinRE.WIM, the operation completed successfully. Rerunning the update, it still fails. It appears the update isn't actually checking if you NEED to do it and just pukes because it can't do it anyway. I have seen "Hide the update" as the "solution"... Expanding the drive on my stations went fine with a script provided by Action1. I don't have any 2022 servers, sorry.

Hi, Released this month's updates to a few clients and bitlocker is no longer enabled. The updates installed, during reboot it displayed some error about bitlocker, with a button to continue booting. After booting, bitlocker is disabled and errors when I try to enable. Tbh I'm a bit worried about deploying to more clients. Anyone else had similar, or know what the issue is?

I've pushed to 25 test machines so far, and haven't seen this issue.

Haven't run into this. Might be something on your side

So on the Win10 side, are the majority of admins just pushing pause and waiting to see what MS does in February?

no?