MEDIUMCVSS6.6

|CVE-2024-20666|Auth: see msrc advisory|Reboot: required|Manual only

KB5034127: Windows Server 2019 Security Update (January 2024)

An attacker with physical access to a device can bypass BitLocker encryption and read protected data by abusing flaws in the Windows boot manager and Recovery Environment.

Published Jan 9, 2024 · Updated May 23, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker with physical access to a powered-off or sleeping device — a lost or stolen laptop, a server pulled from a rack, a seized machine — can manipulate the boot/recovery path to bypass BitLocker and read the encrypted volume. No login credentials are needed; the attack defeats disk encryption directly. This matters most for portable devices and any server where physical security cannot be guaranteed.

How the attack works

BitLocker is the Windows full-disk encryption feature that protects data at rest using a Volume Master Key (VMK). A series of distinct bugs in the Windows boot manager and Windows Recovery Environment (WinRE) let an attacker with physical access either skip BitLocker validation entirely or coerce the system into a state where the VMK is exposed — defeating the at-rest protection BitLocker is supposed to provide.

Am I affected?Quick check

Probably yes if any of these apply:

●Portable Windows devices protected by BitLocker (laptops, tablets)

●Servers in locations where physical access cannot be guaranteed (branch offices, co-location, edge sites)

Affected OS versions

Windows Server 2019

Real-world incidentsWhat we've seen

A laptop holding sensitive corporate data is stolen from a car. The thief — or a buyer of the stolen hardware — uses the boot-manager bypass to defeat BitLocker and read the drive, despite the disk being "encrypted." For organisations that rely on BitLocker for compliance (the "encrypted at rest, so a lost device is not a breach" argument), this bypass undermines that assurance until patched.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5034127

Manual remediation steps

Note on this vulnerability

This is a physical-access BitLocker bypass, not a network or local-code-execution flaw. The patch updates the Windows Recovery Environment (WinRE); on some systems WinRE must be updated separately from the main cumulative update — see the Microsoft guidance for KB-specific WinRE servicing steps if the standard update does not remediate.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5034127 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5034127

Download the MSU for Windows Server 2019 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5034127
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5034127 /quiet /norestart

Notes

This entry covers Windows Server 2019 specifically (KB5034127). Other Windows Server versions have their own KB for CVE-2024-20666.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666 and NVD https://nvd.nist.gov/vuln/detail/CVE-2024-20666.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-20666 ↗ MSRC Advisory ↗ NVD ↗ KBKB5034127