Full Report
Microsoft says some users might see 0x80070643 installation failures when trying to deploy the April 2025 Windows Recovery Environment (WinRE) updates. [...]
Analysis Summary
# Vulnerability: Windows Recovery Environment (WinRE) Update Installation Errors (0x80070643)
## CVE Details
- CVE ID: Not applicable (This is a known issue/bug in update deployment, not a security vulnerability report matching a specific CVE.)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Windows 10, Windows 11, Windows Server 2022 (related to WinRE update installation)
- Versions: Systems attempting to install the Windows Recovery Environment (WinRE) update that fails with error code `0x80070643`.
- Configurations: Observed when the device has another update in a pending reboot state.
## Vulnerability Description
This issue is a known bug related to Microsoft's deployment of Windows Recovery Environment (WinRE) updates (including those related to the January 2024 Patch Tuesday updates that were later retired). The update installation fails with error code `0x80070643` if the system has other pending updates requiring a reboot. Critically, Microsoft states the WinRE update is **typically applied successfully after the required device restart**, despite the installation failure message persisting temporarily.
*Note: An older, related issue involved updates that specifically triggered this error, leading Microsoft to retire those security updates in August 2024, after initially recommending manual WinRE partition resizing.*
## Exploitation
- Status: Not applicable regarding the error itself. However, **malicious actors have been observed pushing fraudulent PowerShell "fixes"** to users searching for resolutions to this non-security related error, distributing information-stealing malware.
- Complexity: Low (for falling for fake IT support/PowerShell fixes)
- Attack Vector: Adjacent/External (When users search for solutions and execute untrusted scripts provided by fake support sites).
## Impact
- Confidentiality: Low (Unless a user executes a malicious script found online searching for a fix)
- Integrity: Low (Unless a user executes a malicious script found online searching for a fix)
- Availability: Low (Temporary display of update failure in Windows Update history)
## Remediation
### Patches
- **Ignore the Error:** Microsoft advises users to disregard the `0x80070643` error initially. The WinRE update is usually applied successfully after the next daily scan and device reboot, at which point the failure message clears automatically.
- **Future Fix:** Microsoft is working on a formal fix to address the persistent failure message display, which will roll out in a future update.
### Workarounds
- **Wait for automatic resolution:** Allow the system to scan again the next day and reboot. The error message is expected to clear automatically, confirming the update completion.
- *(Historical Note: Previously, Microsoft advised manual WinRE partition resizing to fix some failed updates, but this is superseded by the current advice to ignore the error.)*
## Detection
- **Indicators of Compromise:** Persistent or recurring display of the `0x80070643` error specifically related to WinRE updates in Windows Update history.
- **Detection methods and tools:** Monitoring Windows Update logs for `0x80070643` failure codes associated with WinRE components. Security teams should specifically watch for system execution of PowerShell scripts downloaded from external, non-official sources purporting to be fixes for this error.
## References
- [Windows Server 2022 Release Health Dashboard](https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#the-april-2025-windows-re-update-might-show-as-unsuccessful-in-windows-update) (Example reference structure for dashboard)
- [News regarding retired January 2024 updates](https://www.bleepingcomputer.com/news/microsoft/microsoft-retires-windows-updates-causing-0x80070643-errors/)
- [Fake IT support sites pushing malicious PowerShell scripts](https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/)