IRONSMITHINTEL
HIGHCVSS6.8
|CVE-2024-20666|Auth: physical access required|Reboot: required|Est. 45–90 minutes including reboot and WinRE update|Manual only

KB5034441: Windows Server 2022 Cumulative Update (January 2024)

The January 2024 cumulative update for Windows Server 2022 patches CVE-2024-20666, a BitLocker security feature bypass that allows an attacker with physical access to read encrypted drive contents. Critical for servers with sensitive data using BitLocker encryption.

Published Jan 9, 2024 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker with physical access to a server room — or a malicious insider — can use this vulnerability to extract BitLocker-protected data without knowing the encryption key. For servers storing sensitive data (databases, file servers, backup servers), this represents a significant data breach risk if physical security is imperfect.

How the attack works

CVE-2024-20666 allows an attacker with physical access to a BitLocker-encrypted server to bypass the encryption protection and read the protected data. The flaw exists in the Windows Recovery Environment (WinRE) boot process. January 2024's update patches both the main OS and WinRE to close this attack path.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Server 2022 systems using BitLocker
Servers in shared or co-location datacenters
Running Windows Server 2022 prior to KB5034441

Affected OS versions

Windows Server 2022
Fixed inKB5034441
Real-world incidentsWhat we've seen

A datacenter physical security incident at a co-location facility allows an unknown party access to a server cabinet. The servers use BitLocker for data protection, but CVE-2024-20666 allows the attacker to mount the encrypted volume using the WinRE bypass. Without January 2024's patch, BitLocker does not provide the intended protection against this access scenario.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5034441

Manual remediation steps

45–90 minutes including reboot and WinRE update

Check if KB5034441 is Installed

Get-HotFix -Id KB5034441

Check BitLocker Status

# Confirm BitLocker is active on all drives
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus, EncryptionMethod

Apply the Patch

# Note: This update also patches WinRE — additional steps required
# Step 1: Apply KB5034441 via Windows Update or catalog
# Download from https://catalog.update.microsoft.com/search.aspx?q=KB5034441

# Step 2: Update WinRE partition (run after reboot)
ReAgentc /info
# If WinRE is enabled, Microsoft's KB5028997 guidance includes WinRE update script

Verify

Get-HotFix -Id KB5034441
ReAgentc /info  # Confirm WinRE version is updated
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-20666MSRC AdvisoryNVDKBKB5034441
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5034441CVE-2024-20666Windows BitLocker Encryption — Windows Server 20226.8NVD ↗