Windows 11 WinRE USB Input Regression Fixed by KB5070773 Patch

Microsoft pushed an out-of-band emergency patch this week to repair a Windows 11 recovery-mode failure that left many PCs unable to accept USB keyboard and mouse input inside the Windows Recovery Environment (WinRE), restoring the ability to navigate recovery menus and perform system repair operations on affected devices.

Background​

Microsoft shipped the October 14, 2025 security rollup (KB5066835) as part of its normal patch cadence. Within days, users began reporting that USB keyboards and mice stopped responding when the system booted into WinRE, rendering recovery options — including Reset this PC, Advanced Troubleshooting, Startup Repair and other recovery flows — effectively unusable unless the device had a touchscreen or an alternative input device. Microsoft confirmed the regression and flagged the issue in its release-health documentation.
On October 20, 2025 Microsoft released an out-of-band cumulative update (KB5070773) that includes the fixes and improvements from the October 14 rollup while addressing the WinRE USB input regression. The patch is published as two builds — OS Build 26200.6901 and OS Build 26100.6901 — and Microsoft describes the change specifically as a USB fix that restores keyboard and mouse functionality in WinRE.

---

Why this matters: WinRE is the last line of defense​

The Windows Recovery Environment is not an optional part of the operating system — it's the safety net users and administrators rely on when systems fail to boot, get corrupted, or require offline troubleshooting. WinRE hosts tools to:

• Repair startup and boot configuration
• Restore the system from images
• Remove problematic changes via system restore or Reset this PC
• Access advanced troubleshooting (Safe Mode, command prompt)
• Unlock BitLocker-protected drives using recovery keys

If standard input devices stop working inside WinRE, the practical consequence is severe: systems that would otherwise be repairable may become unusable without physical access to alternative input methods or pre-created recovery media. Because the issue only affected WinRE (USB input continued to work within the running Windows desktop), many users didn’t notice the regression until they actually needed the recovery tools.

---

Timeline: what happened, and how Microsoft responded​

• October 14, 2025 — Microsoft released KB5066835 as the October security update. Shortly after distribution, users reported that USB keyboards and mice were non-functional when using WinRE.
• October 17–18, 2025 — Microsoft marked the WinRE USB regression as a confirmed issue in its Windows Release Health dashboard and began investigating. The company also documented other related October update side-effects (smartcard authentication and protected media playback problems) as part of the same update cycle.
• October 20, 2025 — Microsoft published KB5070773 (OS Builds 26200.6901 and 26100.6901), an out-of-band cumulative update that specifically fixes USB input behavior in WinRE and re-releases the earlier security fixes in a stable form.

The speed of the response — an emergency OOB release within six days — indicates Microsoft judged the issue to be high-severity because it directly impacted the recovery surface of Windows devices. Multiple independent outlets covering Windows and enterprise IT corroborated the timeline and the severity.

---

The technical picture (what we can verify)​

• Symptom: After installing KB5066835, USB keyboards and mice do not function inside WinRE; devices continue to work normally in the regular Windows session. Microsoft’s support notes use identical language to describe the regression.
• Scope: Microsoft listed affected platforms as Windows 11, version 24H2; Windows 11, version 25H2; and Windows Server 2025. Multiple independent technology outlets reported the same affected versions.
• Fix: KB5070773 is an out-of-band cumulative update that includes the fixes from KB5066835 and adds a WinRE USB support fix. Microsoft’s KB entry explicitly references the USB fix and lists the two OS build numbers shipped with the update.
• WinRE updates: WinRE uses a separate SafeOS/WinRE image and Microsoft sometimes applies SafeOS dynamic updates to that image. If the WinRE image on a device has insufficient free space or has been manually modified, an automatic update might not refresh the WinRE image. Microsoft documents the procedure to manually mount WinRE, add an update package, and verify the WinRE package list. The WinRE update flow typically requires approximately 250 MB of free space on the recovery partition for dynamic updates to apply successfully.

Where Microsoft has not publicly disclosed root-cause details beyond “USB devices did not function in WinRE after KB5066835,” there is no authoritative public trace showing whether the regression came from a driver change, a SafeOS packaging error, or an interaction with OEM firmware. That lack of a deep public post‑mortem should be treated as an unverified gap in the record.

---

What Microsoft recommends — safe, practical remediation steps​

For most devices that can boot into Windows normally, the recommended path is simple: install KB5070773 via Windows Update, then reboot. The update is available through the normal Windows Update channel and is cumulative, so it includes the prior security content plus the WinRE fix.
For systems that cannot boot into Windows and that therefore cannot receive the automatic patch, Microsoft documented several immediate workarounds when the regression was current:

• Use a touchscreen: If the PC has a touchscreen, the on‑screen keyboard or touch navigation can be used to select WinRE options.
• Use PS/2 input hardware: Systems with PS/2 keyboard/mouse ports or compatible PS/2 dongles may allow input in WinRE.
• Use a previously created USB recovery drive: A recovery drive created before the regression will contain a working WinRE image and can be used to boot the device and perform repairs.
• Manually apply the WinRE update: Administrators can mount the WinRE image on a working machine, add the update package to the WinRE image and then reapply that WinRE image to devices — the Microsoft Learn guidance “Add an update package to Windows RE” covers the step‑by‑step process. Note that manual application and some dynamic updates require free space (≈250 MB) on the WinRE partition.

If a recovery drive was not created prior to the regression and the device lacks touchscreen or PS/2 support, the user is left with three realistic options: obtain a compatible PS/2 adapter (if the hardware supports legacy input), create a USB recovery drive from another matching Windows build and use it to boot the affected device, or contact the device OEM or support to obtain bootable recovery media. Third‑party repair shops and OEM service centers can also apply WinRE fixes offline. This is why proactive recovery‑media creation remains best practice.

---

Step-by-step: how to confirm whether you’re patched and how to update WinRE manually​

1. Check Windows build and update status:
   • Open Settings > Windows Update and confirm you have installed the cumulative update showing OS Build 26200.6901 or 26100.6901. If the build listed matches either number, the OOB patch is applied.
2. Verify WinRE status on a running PC:
   • Open an elevated Command Prompt and run: reagentc /info
   • Confirm Windows RE status is Enabled and take note of the WinRE location. If WinRE is disabled, that could be a separate configuration issue to resolve before applying updates.
3. Mount and update WinRE (advanced / for administrators):
   • Create a mount folder (md C:\Mount).
   • Mount WinRE: ReAgentC.exe /mountre /path C:\Mount
   • Add package: Dism /Add-Package /Image:C:\Mount\ /PackagePath:"C:\DownloadedUpdates\dynamicupdate.cab"
   • Validate the package: Dism /Image:C:\Mount\ /Get-Packages
   • Unmount and commit changes, then re‑enable WinRE if required.
     This procedure is shown in Microsoft’s “Add an update package to Windows RE” documentation and is the supported manual path for applying WinRE updates when automatic dynamic update does not occur. Note the 250 MB free recovery‑partition requirement for many dynamic WinRE updates.
4. If the recovery partition lacks space:
   • Use Microsoft’s guidance or the supplied script in the documentation to extend or recreate a suitably sized WinRE partition. Microsoft’s KB articles that ship WinRE updates consistently document the need for a 250 MB free threshold when dynamic updates are applied.

---

Impact assessment: who was hurt and how badly​

• Home users who never need to access WinRE and who can still boot to their desktop were minimally impacted after installing KB5070773; the patch restores normal behavior and the risk window was short.
• Power users and technicians were significantly affected when they had to perform offline recovery on systems that would not boot into Windows and lacked touchscreen or PS/2 input. For those users, the absence of a recent recovery USB or physical access to alternative input devices created a repair bottleneck.
• Enterprise environments with thousands of managed endpoints face amplified risk. In large rollouts, if a recovery-mode regression prevents administrators from fixing an outage remotely, on-site servicing or coordinated media deployment becomes necessary and costly. Enterprises that block automatic updates or have customized WinRE images must also verify that the WinRE image was updated correctly. Microsoft’s documented tools and guidance cover how to inspect and update WinRE images, but the manual process adds operational overhead.

---

Root‑cause transparency and testing questions​

Microsoft’s official notes identify and fix the symptom (USB input failure in WinRE) but do not publish a detailed forensic post‑mortem describing the precise change that caused the regression. Public coverage and Microsoft’s press materials confirm the regression and the remediation timeline, but an authoritative technical root‑cause analysis is not present in the KB entry. That absence is not unusual for security rollups and emergency patches, but it does leave room for valid questions:

• Did the regression stem from a SafeOS image packaging change, a driver/component mismatch, or a regression in how WinRE enumerates USB devices at pre‑boot?
• Why did the standard testing pipeline not catch the regression, given WinRE is a critical system component?
• Were OEM-specific firmware interactions a factor for certain devices?

Because Microsoft has not published a detailed technical write‑up, any assertion about the low‑level root cause would be speculative. That uncertainty should prompt cautious operational posture for administrators and more robust test plans for recovery‑mode scenarios.

---

Broader context: this was not the only October issue​

The WinRE USB regression was one of several issues tied to the October updates. Microsoft also logged and resolved smartcard authentication problems that were induced by a cryptographic hardening change (moving RSA-based smart card certificates from CSP to KSP), and Microsoft recorded playback problems in some BluRay/DVD/HDCP scenarios and issues with WUSA installs from network shares. Microsoft’s release‑health and update history pages list those known issues and their resolution statuses. Administrators should treat October’s rollout as a reminder that complex, interdependent systems can show regressions across multiple areas simultaneously.

---

Practical recommendations — immediate and long term​

• For end users:
  • If your device is running normally, install KB5070773 via Windows Update to close the risk window. The update contains security fixes plus the WinRE repair.
  • Create a USB recovery drive and keep it in a safe place. A recovery drive created before an update regression can be a lifesaver.
  • Store BitLocker recovery keys in a location separate from the device (Microsoft account, AD/Intune, or secure password manager). Recovery workflows increasingly rely on pre-stored keys.
• For IT administrators:
  • Stage updates on a representative test ring that includes machines with and without legacy input, touchscreen, and recovery‑partition configurations. Explicitly test WinRE entry and navigation after applying patches during validation.
  • Validate the WinRE image on deployed machines: reagentc /info and DISM package checks can show whether the SafeOS dynamic update landed on the recovery image. If not, follow Microsoft’s “Add an update package to Windows RE” guidance.
  • Ensure WinRE recovery partitions have sufficient free space (≈250 MB) so dynamic SafeOS updates can apply automatically; if not, plan a scheduled maintenance window to extend the partition or apply the update manually.
  • Consider blocking or deferring problematic rollups only after testing; balance the risk of security exposure against the risk of recovery regressions. Use pilot rings, feature‑gates, and staged rollouts.
• For OEMs and Microsoft:
  • Strengthen pre‑release validation for WinRE and SafeOS images across OEM firmware variants and device form factors (touchscreen vs non‑touchscreen, presence of PS/2 legacy ports, USB controller vendors).
  • Provide clearer post‑incident technical notes so administrators can evaluate root‑cause and take corrective measures for custom images.
  • Consider making WinRE dynamic updates more transparent in update telemetry for enterprises, so administrators know when the recovery image has been refreshed on each device. These are operational improvements that would reduce downtime risk after future regressions.

---

The takeaway: fast response, lingering questions​

Microsoft’s emergency out‑of‑band update successfully restored WinRE USB input for affected Windows 11 and Server 2025 platforms within a matter of days, and the KB5070773 package is the correct remediation for most users. The event, however, underlines two persistent realities for Windows administrators and power users:

• Recovery environments are fragile and critically important. A regression that only affects pre‑boot or recovery components can have an outsized operational impact compared with desktop bugs.
• Even with aggressive telemetry and test automation, complex updates can produce regressions that escape detection until they are broadly deployed. Robust staging, recovery media, and clear, documented manual update paths for WinRE are essential mitigations.

In short, the immediate problem is fixed for patched systems, but the incident should be treated as a prompt to review recovery preparedness, update validation processes, and WinRE maintenance practices across both consumer and enterprise fleets.

---

Quick checklist — what to do now​

1. Open Settings > Windows Update and confirm your build is 26200.6901 or 26100.6901; install pending updates if not patched.
2. Create a USB recovery drive and store it securely off the device.
3. Run reagentc /info and DISM checks to verify WinRE status and packages if you manage fleets. Apply the WinRE package manually if the dynamic update didn’t land.
4. For unbootable devices without touchscreen or PS/2 support and no recovery drive, obtain a recovery media image from another machine with the same Windows build or contact OEM support.

---

Microsoft resolved the immediate WinRE USB regression by shipping KB5070773 quickly; that rapid turnaround reduced the window of vulnerability. The larger lesson is procedural: assume that recovery-mode behavior should be part of every patch validation plan, because when recovery fails, the normal desktop becomes a poor proxy for device health.

---

Source: Gadgets 360 https://www.gadgets360.com/internet...ate-usb-input-bug-fix-update-rollout-9508499/