Failed Win 10 Security Update

[CorylusMaxima]

A couple of my PCs have failed KB5034441 updates, which the blurb says is to prevent Bitlocker encryption being bypassed.
Given that I don't use Bitlocker, am I OK to just hide that update from further checks?
It seems a bit over the top to have to fiddle around with disk partitions for something I don't use.

[shuttleman]

Same here and I am using Win 10 HOME which I believe does not use Bitlocker.

[Wainuitech]

Its a patch for WinRE, (Windows Recovery Environment )  it reinstalls the recovery with a new version that has patch for the encryption.
There are thousands of reports  of failures, and Microsoft Know about it.

Their suggestion is to increase the recovery partition size, but even that doesn't work sometimes.

I can see a Whole lot of problems ( people wiping drives or making the system unbootable) if they tried, especially since they give instruction on using Diskpart.  With Diskpart theres no " are you sure" warnings.

Since MS know about it being such a big failure, they should put out a solution for a auto repair /install of the Patch.
Blocking this patch shouldn't cause any problems even if you did use encryption, the original will still be there. " Shouldn't" being the key word.

[CorylusMaxima]

Yep. pretty dumb of MS to give out those instructions to all and sundry. I'll be leaving mine unpatched.
Even if I had a mind to change partition sizes, I'd be doing it using Macrium Reflect to restore partitions with resize - seems a safer bet than trying to follow MS instructions.
Presumably I'll need to redo Macrium Rescue Media for the ones that successfully installed the update. If it wasn't for the failed updates I wouldn't have known that just from the title Security Update.

[nzoomed]

Good to know about this, I have not encountered it yet.

[Wainuitech]

Presumably I'll need to redo Macrium Rescue Media for the ones that successfully installed the update. If it wasn't for the failed updates I wouldn't have known that just from the title Security Update.

You wont have to make new rescue media, Marcum will simply pull back any Image that's made along with what ever has changed.

I use the same media (USB Drive) to pull various Images all different sizes back from my servers over the LAN when required.  What would change is if you imaged a Drive, then it updated at a later time, then when you reboot Updates would then have to redownload the Patch, BUT that goes for ANY image. Its only up to date at the point of imaging.

[CorylusMaxima]

Yeah, I get what you are saying Wainuitech. Where I was coming from is that I'm pretty sure I read that when you first create rescue media it pulls the WinRE it uses from your disk and normally that wouldn't change. However, with this patch, WinRE has changed, so my thinking was that a new rescue media would keep everything is step and could be used on drives irrespective of whether they had the patch or not.

[Wainuitech]

Just a bit of an update on this:  Had two computers this morning with the exact same error, same KB number. One was one of my own W10's in the workshop.

Fixed it as MS suggested, by making the recovery Partition larger from 521MB to 750MB, re ran the updates, this time went straight in no problems.  Used a bootable USB with partition software NOT Diskpart.

To test the Macrium question, Imaged the altered drive to an external,(Macrium installed on drive)  replaced the drive with another blank, then using the same USB drive I created errrrr maybe 6 -7 months ago, put the image back, no problem at all. Re-ran the windows updates, only found "Security Intelligence Update for Microsoft Defender Antivirus".

No need to create new rescue media.

[CorylusMaxima]

Thanks Wainuitech. Can I ask which partition software you use?
One of my computers has an old recovery partition following the active one, so I could delete it and use that space without touching the OS partition. Do you know if Disk Management allows the recovery partition to simply be extended like other partitions, or is it all round protection?
On the Macrium question. I can't see why the older rescue media wouldn't restore the new image, but presumably it can be prey to the same vulnerability as the old WinRE on the computer, but creating a new rescue media would plug any possible gap.

[CorylusMaxima]

A bit anal I know, as I don't use Bitlocker, but for those who do and have added Bitlocker Support to their rescue media, it might be more secure.
After MS updates caused caused then fixed an issue with creating rescue media in Oct/Nov I came across this.....
"After the OS patching and rebooting has completed, in Reflect you will need to perform a force rebuild of the WIM in the Create Rescue Media.
You performed a force rebuild by holding down the Ctrl key and click on the down arrow on the Build button to select Force Rebuild in the Reflect Rescue Media builder of the WIM using WinRE 10 on Windows 10 platforms."

[Wainuitech]

Sorry for the late reply CorylusMaxima -- Been out on jobs since early morning.

Never got that message, Macrium has been working fine. Patched the system, then using the installed Version of Macrium, created a new backup, and put it onto another HDD which booted fine. The backup was also done to one of my servers, then a blank drive attached, booted from the old media ( USB drive) pulled the image back over the LAN - No problems.

BTW-- I always image drives, not clone, have had it where you have to muck about fixing non booting after cloning, but imaging very rarely gives troubles. AND you can store MANY images on Drives ( servers for example) where as clones you cant. Example: on one server I have 174 Folders with several images in each, totaling 1.6TB

Regarding partition software -- there's two I use, mainly Minitool Partition, as well as AOMEI Partition

To make bootable Drives ( USB or CD) you need the paid versions. AOMEI Partition pro has giveaways all the time on various giveaway sites.  The installed versions (free) will work fine on the computers they are installed on, I just prefer to use bootable media.

[CorylusMaxima]

Thanks - I assume you still need to disable WinRE before using the software?
Using the software, does the recovery partition still need to be deleted then recreated or can it be extended if there is unallocated space available in the right position?

As far as Macrium goes, I wouldn't expect there to be a problem with imaging and restoring. Any possible threat could come from an outside attacker with the previous WinRE - unlikely I know, while you are actually using macrium.
I just don't get why you would want to update WinRE on the computer but not on the rescue media. The changes must be fairly substantial for MS to say it needs 250MB free space. I guess knowing that it would fail on so many systems is why they didn't include it in the monthly Cum update

[Wainuitech]

Didn't disable anything. For some strange reason the recovery Partition was in different places on different installs.

One I had to shrink the Main C Partition down to make room, then expand out the recovery ( it was after the C partition)

On another I had to move the C partition sideways a few MB to make room, then move two other partitions sideways as well (recovery was before the C Partition at the start of the drive) made the recovery partitions 750MB and re ran the update.

[CorylusMaxima]

OMG that was unbelievably easy! Updates done and backup run. Thank you so much.
You guys who help people out on here are just the best.