Automate Recovery Partition | KB5034441 Fix

INTRO

Recently I was preparing a Windows Server 2022 build for a client and ran into some Windows Update errors. As it turns out there is a security vulnerability that could allow attackers to bypass BitLocker encryption by using WinRE which KB5034441 aims to patch. Server 2022 is based off of Windows 10 21H2 core and also Windows 10 21H2 and 22H2 are affected as well.

The update fails to install if the winre.wim image can’t be expanded enough to install the update. At least in the case of MDT, by default Windows uses the last 1% of the drive after the System and Windows partitions are created for the Recovery partition. So if you installed Windows to a relatively small drive you will probably run into KB5034441 not installing. So let’s fix that.

LOCATE WINRE.WIM

Run the command reagentc /info to verify where your Windows Recovery Environment image is, more info here.

C:\Windows\system32>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:

    Windows RE status:         Enabled
    Windows RE location:       \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    Boot Configuration Data (BCD) identifier: fb41ccc1-d451-11ee-91bf-c792959b2d94
    Recovery image location:
    Recovery image index:      0
    Custom image location:
    Custom image index:        0

REAGENTC.EXE: Operation Successful.

As you can see above in my output, the Windows Recovery Environment image is located on my Recovery partition, which is partition 4. If it’s different for you, account for that in the following script or you might have a bad day.

SCRIPT

powershell.exe -noninteractive -command "reagentc /disable; echo 'sel volume c' 'shrink minimum=250' 'sel part 4' 'delete partition override' 'create partition primary' 'format quick fs=ntfs label=Recovery' 'set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac' 'gpt attributes=0x8000000000000001'  | diskpart.exe"; reagentc /enable

The script above will start off with reagentc /disable which will move the winre.wim image from the protected Recovery partition to C:\Windows\System32\Recovery\Winre.wim. This is a hidden and protected operating system file.

Then the script sends a series of commands to diskpart.exe to remove the Recovery partition, shrink the Windows partition, then remake the Recovery partition and then use the reagentc /enable command to move C:\Windows\System32\Recovery\Winre.wim to the newly created Recovery partition that should be larger now to apply the update.

I have tested on my own and it works, and I did this because I know there will be many computers out in the wild with the same issue and now I can deploy a fix through ConnectWise Automate or other RMM solution so I don’t have to manually do this. Future improvements would be logic to target the Recovery partition based on type or label rather than searching for the partition number beforehand.

CONCLUSION

That’s a fix! Run Windows Update and watch KB5034441 go away. I had fun doing this and learned something new which I will need to implement into my GitHub repositories for my AutoUnattend.xml files for Windows 10.

WinReflection

Hey folks, my name is Dex and you’ve landed on my website. Ponder this; was it by coincidence or did God bring you here? Either way, I hope you find something of value. We may not agree on everything, but that’s just part of the fun here!

It’s my hope here that you also become inspired to join the good fight against evil. There are no ads here, just truth bombs. So change your tune because the best is yet to come, and nothing can stop what’s coming!

John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.