Public Preview: Audit and Enable Windows Recovery Environment (WinRE) for Azure Arc-enabled Servers

Windows Recovery Environment is a secure, isolated partition that enables diagnostics and repair when a system encounters critical failures – such as a stop error (commonly known as the blue screen of death). WinRE provides a reliable fallback mechanism for mission-critical workloads, allowing IT administrators to recover systems quickly and securely.

With this Public Preview, Azure Arc introduces a set of Azure Policies that allow organizations to audit and enable WinRE across their fleet of Arc-enabled Windows Servers. These policies are powered by the Machine Configuration component of the Azure Connected Machine agent, which ensures secure and compliant configuration enforcement.

Through the Azure Policy, the Azure Connected Machine agent detects whether WinRE is configured and reports its health status. If WinRE is not configured and the WinRE partition has been provisioned, customers can enable WinRE through the Azure Policy.

These Azure Policies are available at no additional cost for servers covered under:

• Windows Server 2012 Extended Security Updates (ESUs)
• Microsoft Defender for Servers Plan 2
• Windows Server Software Assurance attestation
• Windows Server Pay-as-you-Go licensing

For other servers, these policies will incur charges associated with Azure Machine Configuration.

To get started, deploy and assign these Azure Policies to Azure Arc-enabled servers in your existing subscription.  

• [Preview]: Audit Windows machines that do not have Windows Recovery Environment (WinRE) enabled
• [Preview]: Configure Windows Recovery Environment (WinRE) on Windows machines

Auditing and enablement of WinRE through Azure Arc underscores the capability of Azure Arc to increasingly afford resiliency across hybrid, multicloud, and edge workloads.