Summary
This update automatically applies Safe OS Dynamic Update (KB5034235) to the Windows Recovery Environment (WinRE) on a running PC to address a security vulnerability that could allow attackers to bypass BitLocker encryption by using WinRE. For more information, see CVE-2024-20666.
NOTE If your running PC does not have a WinRE recovery partition, you do not need this update. To verify if you have WinRE enabled, you can run the following command in an elevated command prompt: reagent /info.
IMPORTANT This update requires 250 MB of free space in the recovery partition to install successfully. If the recovery partition does not have sufficient free space, this update will fail. In this case, you will receive the following error message: 0x80070643 - ERROR_INSTALL_FAILURE To avoid this error or recover from this failure, please follow the Instructions to manually resize your partition and then try installing this update. Or, to use a sample script to increase the size of the WinRE recovery partition, see Extend the Windows RE Partition. |
How to get this update
This update is available through the following release channels.
Release Channel |
Available |
Windows Update |
Yes |
Microsoft Update Catalog |
No |
Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager |
No |
Prerequisites
The device must have 250 MB of free space in the recovery partition to be offered and apply this update.
Restart information
You do not need to restart your PC after applying this update.
Verify the installation of this update
To verify the installation of this update, use DISM /Get-Packages to ensure Safe OS Dynamic Update package is present on WinRE. For more information, see Check the WinRE image version.
Removal information
This update cannot be removed once it is applied to a Windows image.
Update replacement information
This update does not replace any previously released update.
References
Description of the standard terminology that is used to describe Microsoft software updates