Forum Discussion
BLOG: Guidance for Windows Recovery partition (WinRE) patching and why you would need it
As the information dripped in over the time, recently received the feedback that on the matter of 01-2024 LCU patching issues with WinRE the article was not structured enough to provide a clear solution.
Information and guidance from Microsoft on the matter:
Automatic resolution of this issue won't be available in a future Windows update. Manual steps are necessary to complete the installation of this update on devices which are experiencing this error.Affected platforms:
Client: Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2
Server: Windows Server 2022
What is it about the WinRE security update and why it is failing?
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22H2#the-january-2024-windows-re-update-might-fail-to-install
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666
External References:
https://www.csoonline.com/article/1306871/how-to-protect-against-bitlocker-bypassing-vulnerabilities-in-windows-recovery-partitions.html
Thank you SusanBradleyGeek.
HOW-TO FIX, Microsoft solution
https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf
HOW-TO FIX, Community solutions:
APPROACH 1:
There is also an inofficial guide for this (not tested myself, endorsed, supported by Microsoft)
https://manima.de/2024/01/winre-patching-round-2/
APPROACH 2:
"I've integrated it with Intune and PSADT; it's going very well and we're able to increase the recovery partition sizes for several thousand computers with graceful restarts and detection coming from Intune's application model."
https://github.com/MHimken/WinRE-Customization/blob/main/Patch-WinRE.ps1
Caveat: Please check the code and test before bulk execution. It reads promising. I do not see a reason why this could not work, too, with Windows Server.
Conclusion:
I am still optimistic Microsoft will withdraw the 01-2024 update and release something improved. For Windows Server 2025 and Windows 11 24H2 I hope that the WinRE partition will be patched, recreated and enlarged to 1 GB to avoid future issues.
Happy patching!
Patching Secure Boot
Next to the situation that resolves around WinRE Patching since January 2024, there is a new vector that requires low level patching and actions
Please consider this article about Secure Boot patching, in addition to the original post. This article itself offers more links to deep dive into the topic.
Please read these carefully, to avoid making your device non-bootable.
Read on why
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324Read on How-To patching Secure Boot
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revoking-vulnerable-windows-boot-managers/ba-p/4121735
Learn about the Microsoft timeline and technical dependencies
https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832dGreat reference on Secure Boot:
https://nbviewer.org/github/microsoft/MSRC-Security-Research/blob/master/presentations/2024_05_OffensiveCon/OffensiveCon24_Booting_With_Caution_BDemirkapi.pdf
Thank you SusanBradleyGeek !
