Forum Discussion
BLOG: Guidance for Windows Recovery partition (WinRE) patching and why you would need it
This is an extended blog, which continues in comments.
Why WinRE partition is controversly discussed on the web?
You want to enlarge the C (OS Partition) in a VM and WinRE partition is in the way, the most common advice is to delete the WinRE Partition to resolve this limitation. And this is a bad advice imho.
Why keeping the WinRE partition?
The WinRE partition enables you for different to access different options including
- uninstalling Updates *pre-boot* that prevent a system startup. This doesn't happen very often but it can happen.
This feature has been added to WinRE starting with Windows Server 2022, and Windows 10 22H2 / Windows 11 22H2, or newer. It is quite unknown, though. - Leverage Quick machine recovery, perfectly described by Rudy Ooms in this blog.
- Direct UEFI setup (BIOS) access, even with fast boot enabled. Use Shift +Restart when in Windows.
- Device restore or other troubleshooting steps like access to Safe Boot.
GPT / UEFI required and recommended anyway for both Windows Server and Client.
What's the correct location of WinRE partition?
Ideally you only have one WinRE Partition on your OS disk.
If you find that your WinRE it is located left of the OS boot drive (C) it has been installed by a bugged release (old ISO). I am sure it was Windows Server 2019 when we noticed that. Aka Windows 10 1809. See below why the certainty.
When installing Windows or especially Windows Server always use the lastest ISO for fixes like this or for in-place upgrades.
There is no such updated ISO for Windows Server 2016, very unfortunately.
They started patching them on a monthly basis with Windows Server 2019. You can access your latest ISOs either via my.visualstudio.com (Dev / Test use only), or admin.microsoft.com for VLSC or CSP production More information can be found in the comment below.
Why do I have more than one WinRE partition?
- This often happened when the existing could not be enlarged during in-place upgrade. Maybe also a bug. Haven't seen this long time. It was common before Windows 10 1809.
- When installing more than one Windows on one or different physical disks, unfortunately Windows Setup will not use existing WinRE Partitions but create another for each Windows instance. This is known as side-by-side installation or more commonly "Windows OS multi-boot". Each OS instance will create and maintain its own WinRE Partition (by design).
Windows OS Multi-boot is a common scenario for users, using designated Windows Installations for specific use cases, like Windows Insiders to test different Insider branches on one physical machine and disk. Speaking for myself I use multi-boot for Windows 11 to seperate gaming from productive work and to evaluate Windows Server Insider. Please mind, each instance requires a seperate license.
Why patching Windows RE is important?
There is a 2024 CVE that needs to addressed. Please find more information in the comments below on the "How-to".patching the WinRE CVE and remediate the 01-2024 LCU failing.
More information on how to actually fix this can be found in this comment below
How to relocate the WinRE partition?
A WinRE Partition left of C (OS Partition) makes no sense as Windows still may not move partitions to the right or left (while technical possible). Windows can only shrink partitions. But not move them.
Mind, that if you change / delete WinRE partitions you need to inform Windows about it via reagentc.exe
These tools can be used:
- Windows Diskpart
- Settings App > Storage Settings > Advanced Storage Settings > Disks and Volumes
Windows 10 22H2 / Windows 11 22H2 / Windows Server 2022 or newer.
- diskmgr.mmc all legacy OS
Windows Key + X > Disk Management
- Trusted 3rd party tool for Home Use (Windows 10 / 11) or paid for Windows Server use:
Minitools Partition Wizard (Free). Available through winget.
Formerly recommended Minitools Partition Wizard but they now have a paywall. If you are ok I would still recommend it. Legacy tools like Acronis Partition Wizard is no longer optimized for or SSD / NVMe.
Bonus: Use Partitioning tools for Windows Server / expanding WinRE / resize or move OS Drive
- Create a PAWS VM Client or Server on Azure Local, Azure, Hyper-V, VMware etc.
- Buy the Tool (aquire a license, required for Windows Server)
- Install the license on the PAWS
- Shutdown affected VM
- Attach affected virtual disk to the PAWS VM, do the resize job
- Attach modified disks back to the original VM
Pro: easy and licensing costs efficient.
Cons: Downtime and manual task
Hope this is helpful to you. Appreciate your likes, spreading the word.
3 Replies
As the information dripped in over the time, recently received the feedback that on the matter of 01-2024 LCU patching issues with WinRE the article was not structured enough to provide a clear solution.
Information and guidance from Microsoft on the matter:Automatic resolution of this issue won't be available in a future Windows update. Manual steps are necessary to complete the installation of this update on devices which are experiencing this error.
Affected platforms:
Client: Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2
Server: Windows Server 2022
What is it about the WinRE security update and why it is failing?
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22H2#the-january-2024-windows-re-update-might-fail-to-install
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666
External References:
https://www.csoonline.com/article/1306871/how-to-protect-against-bitlocker-bypassing-vulnerabilities-in-windows-recovery-partitions.html
Thank you SusanBradleyGeek.
HOW-TO FIX, Microsoft solution
https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf
HOW-TO FIX, Community solutions:
APPROACH 1:There is also an inofficial guide for this (not tested myself, endorsed, supported by Microsoft)
https://manima.de/2024/01/winre-patching-round-2/APPROACH 2:
"I've integrated it with Intune and PSADT; it's going very well and we're able to increase the recovery partition sizes for several thousand computers with graceful restarts and detection coming from Intune's application model."
https://github.com/MHimken/WinRE-Customization/blob/main/Patch-WinRE.ps1
Caveat: Please check the code and test before bulk execution. It reads promising. I do not see a reason why this could not work, too, with Windows Server.
Conclusion:
I am still optimistic Microsoft will withdraw the 01-2024 update and release something improved. For Windows Server 2025 and Windows 11 24H2 I hope that the WinRE partition will be patched, recreated and enlarged to 1 GB to avoid future issues.
Happy patching!Patching Secure Boot
Next to the situation that resolves around WinRE Patching since January 2024, there is a new vector that requires low level patching and actions
Please consider this article about Secure Boot patching, in addition to the original post. This article itself offers more links to deep dive into the topic.
Please read these carefully, to avoid making your device non-bootable.
Read on why
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324Read on How-To patching Secure Boot
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revoking-vulnerable-windows-boot-managers/ba-p/4121735How-to update Secure Boot certificate with a PowerShell script (official Microsoft solution)
Learn about the Microsoft timeline and technical dependencies
https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832dGreat reference on Secure Boot:
https://nbviewer.org/github/microsoft/MSRC-Security-Research/blob/master/presentations/2024_05_OffensiveCon/OffensiveCon24_Booting_With_Caution_BDemirkapi.pdf
Thank you SusanBradleyGeek !
Explaining why "WinRE should located right hand side to the C partition."
Let's have a look at the default layout for GPT / Secure Boot Based PC starting from Windows 8.1 and later / Hyper-V Gen 2 / Modern VMware VMs etc.
With Windows 8.1 and Windows Server 2012 R2 or latest Windows Server 2016 or newer GPT / Secure Boot should be (should have been) the norm in environments.
Yet at the time many OEMs and integrators choose for MBR for compatibility with Windows 7 / 2008 R2 and hardware built before ~2014.
For an easier transition to later OS, such as Windows Server 2019, 2022 and upcoming Windows Server 2025 versions, GPT / UEFI is very recommended. Keep in mind Windows Server 2022 and later VBS requires UEFI / GPT.
Here's the same but for MBR based legacy computers / VMs (Hyper-V Gen 1) and older (unconverted) VMware VMs.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-biosmbr-based-hard-drive-partitions?view=windows-11#partition-layoutIn this example the WinRE partition is located “right” to the OS Partition (C drive) for legacy OS / VMs
Convert MBR2GPT / UEFI with MS ToolThe mbr2gpt Conversion Tool is included since Windows 10 1809 / Windows Server 2019.
The tool works great but just for OS drive.
Caveats of MBR2GPT
your hardware / BIOS must be capable must support UEFI / Secure Boot
your dedicated GPU BIOS must UEFI GOP
MBR2GPT will fail if there are too many primary parititions (example OS and 2 or more user formatted data partitions, or OEM Parititions + User Data partitions). This is a technical limitation of MBR. The count of allowed primary partitions with MBR that is lower than with GPT.
If you cannot afford to clean up use named paid 3rd party tools, backup is recommended but never seen this conversion failing with data loss occoured (just saying).The drawbacks of MBR (imho)
- max paritition size is limted to 2 TB
- less primary partitions allowed
- no Secure Boot support and theoretically there are still viruses that infect MBR boot sectors, where as I never heard about these adopting GPT and Secure Boot.
- slower boot up time compared to GPT / UEFI as BIOS needs to emulate "BIOS / IDE mode" etc. This is also measureable in VMs.
- Secure Boot lays foundation for modern security with fTPM / vTPM, the set of Secured Core features including VBS. MBR based hardware or VMs cannot be secured that low level way.
- UEFI supports more features such as mouse emulation and get rid of legacy stuff like IDE mode etc. Bootloader for Windows + Linux is digitally signed, whereas MBR allows any bootloader or even rootkits.
