Feb 19 2024 02:00 AM - edited May 06 2024 03:25 AM
Windows Client and Server should have this WinRE Partition.
You want to enlarge the C (OS Partition) in a VM and WinRE partition is in the way. The most common advice is to delete the WinRE partition. And this is a bad advice imho.
The WinRE partition enables you for different to access different options including uninstalling Updates *pre-boot* that prevent a system startup. This doesn't happen very often but it can happen.
This feature has been added to WinRE starting with Windows Server 2022, and Windows 10 22H2 / Windows 11 22H2, or newer. It is quite unknown, though.
You can do more like direct UEFI access, and troubleshooting
GPT / UEFI required and recommended anyway for both Windows Server and Client.
Proper location and number of WinRE partitions on a physical disk
1. WinRE should located right hand side to the C partition
If you find that your WinRE it is located left of the OS boot drive (C) it has been installed by a bugged release (old ISO). I am sure it was Windows Server 2019 when we noticed that. Aka Windows 10 1809. See below why the certainty.
When installing Windows or especially Windows Server always use the lastest ISO for fixes like this or for in-place upgrades.
There is no such updated ISO for Windows Server 2016, very unfortunately.
They started patching them on a monthly basis with Windows Server 2019. You can access your latest ISOs either via my.visualstudio.com (Dev / Test use only), or admin.microsoft.com for VLSC or CSP production use.
2. There could be more than two WinRE partitions to the right hand side of the C partition
This often happened when the existing could not be enlarged during in-place upgrade.
Maybe also a Bug. Haven't seen this long time. It was common before Windows 10 1809.
It is common though if you are using more than one Windows Installation on one physical disk. This is known as side-by-side installation or more commonly "Windows OS multi-boot".
Each OS will create and maintain its own WinRE Partition (by design).
Multi-boot is common for people that use designated Windows Installation for specific use cases, like Windows Insiders to test different Insider branches on one physical machine and disk.
More information can be found in the comment below.
Patching Windows RE is important
There is a 2024 CVE that needs to addressed.
Please find more information in the comments below on the "How-to".patching the WinRE CVE and remediate the 01-2024 LCU failing.
More information on how to actually fix this can be found in this comment below
Relocate WinRE partition
A WinRE Partition left of C (OS Partition) makes no sense as Windows still may not move partitions to the right or left (while technical possible). Windows can only shrink Partitions
As such I don't get how one can at all shrink C (to the right only).
Mind that if you change / delete WinRE partitions you need to inform Windows about it via reagentc.exe
These are tools you have at hands:
Formerly recommended Minitools Partition Wizard but they now have a paywall. If you are ok I would still recommend it. These can do everything!
Acronis Partition Wizard isn't nice too old code and slow. Not optimized for SSD / NVMe.
Both recommendable tools are available through winget.
Bonus: Use Paritioning tools for Windows Server / Expanding WinRE / Resize OS Drive
Pro: easy and licensing costs savyy
Cons: Downtime and manual task
Hope this is helpful to you. Appreciate your likes, spreading the word.
Feb 27 2024 10:24 AM - edited May 06 2024 03:09 AM
Explaining why "WinRE should located right hand side to the C partition."
Let's have a look at the default layout for GPT / Secure Boot Based PC starting from Windows 8.1 and later / Hyper-V Gen 2 / Modern VMware VMs etc.
With Windows 8.1 and Windows Server 2012 R2 or latest Windows Server 2016 or newer GPT / Secure Boot should be (should have been) the norm in environments.
Yet at the time many OEMs and integrators choose for MBR for compatibility with Windows 7 / 2008 R2 and hardware built before ~2014.
For an easier transition to later OS, such as Windows Server 2019, 2022 and upcoming Windows Server 2025 versions, GPT / UEFI is very recommended. Keep in mind Windows Server 2022 and later VBS requires UEFI / GPT.
Here's the same but for MBR based legacy computers / VMs (Hyper-V Gen 1) and older (unconverted) VMware VMs.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-biosmbr-based-hard-...
In this example the WinRE partition is located “right” to the OS Partition (C drive) for legacy OS / VMs
Convert MBR2GPT / UEFI with MS Tool
The mbr2gpt Conversion Tool is included since Windows 10 1809 / Windows Server 2019.
The tool works great but just for OS drive.
Caveats of MBR2GPT
your hardware / BIOS must be capable must support UEFI / Secure Boot
your dedicated GPU BIOS must UEFI GOP
MBR2GPT will fail if there are too many primary parititions (example OS and 2 or more user formatted data partitions, or OEM Parititions + User Data partitions). This is a technical limitation of MBR. The count of allowed primary partitions with MBR that is lower than with GPT.
If you cannot afford to clean up use named paid 3rd party tools, backup is recommended but never seen this conversion failing with data loss occoured (just saying).
The drawbacks of MBR (imho)
Apr 03 2024 03:53 PM - edited May 06 2024 04:40 AM
As the information dripped in over the time, recently received the feedback that on the matter of 01-2024 LCU patching issues with WinRE the article was not structured enough to provide a clear solution.
Information and guidance from Microsoft on the matter:
Automatic resolution of this issue won't be available in a future Windows update. Manual steps are necessary to complete the installation of this update on devices which are experiencing this error.Affected platforms:
Client: Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2
Server: Windows Server 2022
What is it about the WinRE security update and why it is failing?
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22H2#the-january-2024-win...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666
External References:
https://www.csoonline.com/article/1306871/how-to-protect-against-bitlocker-bypassing-vulnerabilities...
Thank you @SusanBradleyGeek.
HOW-TO FIX, Microsoft solution
https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-t...
HOW-TO FIX, Community solutions:
APPROACH 1:
There is also an inofficial guide for this (not tested myself, endorsed, supported by Microsoft)
https://manima.de/2024/01/winre-patching-round-2/
APPROACH 2:
"I've integrated it with Intune and PSADT; it's going very well and we're able to increase the recovery partition sizes for several thousand computers with graceful restarts and detection coming from Intune's application model."
https://github.com/MHimken/WinRE-Customization/blob/main/Patch-WinRE.ps1
Caveat: Please check the code and test before bulk execution. It reads promising. I do not see a reason why this could not work, too, with Windows Server.
Conclusion:
I am still optimistic Microsoft will withdraw the 01-2024 update and release something improved. For Windows Server 2025 and Windows 11 24H2 I hope that the WinRE partition will be patched, recreated and enlarged to 1 GB to avoid future issues.
Happy patching!
May 02 2024 05:04 AM - edited May 16 2024 03:49 PM
Patching Secure Boot
Next to the situation that resolves around WinRE Patching since January 2024, there is a new vector that requires low level patching and actions
Please consider this article about Secure Boot patching, in addition to the original post. This article itself offers more links to deep dive into the topic.
Please read these carefully, to avoid making your device non-bootable.
Read on why
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/...
Read on How-To patching Secure Boot
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revoking-vulnerable-windows-boot-managers...
Learn about the Microsoft timeline and technical dependencies
https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocati...
Great reference on Secure Boot:
https://nbviewer.org/github/microsoft/MSRC-Security-Research/blob/master/presentations/2024_05_Offen...
Thank you @SusanBradleyGeek !
May 06 2024 03:29 AM - edited May 06 2024 03:29 AM
Hi everyone,
after user feedback I looked to improve this article in the following areas
- improved structure
- removed and merged comments
- seperated Secure Boot aspects from the OP
- stronger emphasize on "HOW-TO" solve WinRE and Secure Boot challenges and link to the respective comments
If there is anything unclear still, please let me know.
The initial idea of this posting was rather informational, and later added troubleshooting / remediation instructions did not fit with original layout and intent.
Hope that this update is helpful finding the right information.
May 16 2024 03:49 PM