Guidance for Windows Recovery partition (WinRE) patching and why you would need it

MVP


Windows Client and Server should have this WinRE Partition.


You want to enlarge the C (OS Partition) in a VM and WinRE partition is in the way. The most common advice is to delete the WinRE partition. And this is a bad advice imho.

The WinRE partition enables you for different to access different options including uninstalling Updates *pre-boot* that prevent a system startup. This doesn't happen very often but it can happen.
This feature has been added to WinRE starting with Windows Server 2022, and Windows 10 22H2 / Windows 11 22H2, or newer. It is quite unknown, though.

 

You can do more like direct UEFI access, and troubleshooting
GPT / UEFI required and recommended anyway for both Windows Server and Client.



Proper location and number of WinRE partitions on a physical disk
1. WinRE should located right hand side to the C partition

 

If you find that your WinRE it is located left of the OS boot drive (C) it has been installed by a bugged release (old ISO). I am sure it was Windows Server 2019 when we noticed that. Aka Windows 10 1809. See below why the certainty. 


When installing Windows or especially Windows Server always use the lastest ISO for fixes like this or for in-place upgrades. 

 

There is no such updated ISO for Windows Server 2016, very unfortunately. 

They started patching them on a monthly basis with Windows Server 2019. You can access your latest ISOs either via my.visualstudio.com (Dev / Test use only), or admin.microsoft.com for VLSC or CSP production use.

2. There could be more than two WinRE partitions to the right hand side of the C partition

 

This often happened when the existing could not be enlarged during in-place upgrade. 

Maybe also a Bug. Haven't seen this long time. It was common before Windows 10 1809.

It is common though if you are using more than one Windows Installation on one physical disk. This is known as side-by-side installation or more commonly "Windows OS multi-boot".
Each OS will create and maintain its own WinRE Partition (by design).
Multi-boot is common for people that use designated Windows Installation for specific use cases, like Windows Insiders to test different Insider branches on one physical machine and disk.

More information can be found in the comment below.


Patching Windows RE is important

There is a 2024 CVE that needs to addressed. 
Please find more information in the comments below on the "How-to".patching the WinRE CVE and remediate the 01-2024 LCU failing.
More information on how to actually fix this can be found in this comment below


Relocate WinRE partition

A WinRE Partition left of C (OS Partition) makes no sense as Windows still may not move partitions to the right or left (while technical possible). Windows can only shrink Partitions

As such I don't get how one can at all shrink C (to the right only).

Mind that if you change / delete WinRE partitions you need to inform Windows about it via reagentc.exe

These are tools you have at hands:

 

  • Windows Diskpart
  • Settings App > Storage Settings > Advanced Storage Settings > Disks and Volumes
    Windows 10 22H2 / Windows 11 22H2 / Windows Server 2022 or newer.

 

  • diskmgr.mmc all legacy OS
    Windows Key + X > Disk Management 

 

  • Trusted 3rd party tool for Home Use (Windows 10 / 11) or paid for Windows Server use:
    AOMEI Partition Assistant
    Minitools Partition Wizard (Free)

Formerly recommended Minitools Partition Wizard but they now have a paywall. If you are ok I would still recommend it. These can do everything!

 

Acronis Partition Wizard isn't nice too old code and slow. Not optimized for SSD / NVMe. 

 

Both recommendable tools are available through winget. 



Bonus: Use Paritioning tools for Windows Server / Expanding WinRE / Resize OS Drive

  1. Create a PAWS VM Client or Server on Azure Stack HCI, Azure, Hyper-V, VMware etc.
  2. Buy the Tool (aquire a license, required for Windows Server) 
  3. Install the license on the PAWS
  4. Shutdown affected VM
  5. Attach affected virtual disk to the PAWS VM, do the resize job
  6. Attach modified disks back to the original VM

Pro: easy and licensing costs savyy

Cons: Downtime and manual task

Hope this is helpful to you. Appreciate your likes, spreading the word. 

5 Replies

Explaining why "WinRE should located right hand side to the C partition." 

Let's have a look at the default layout for GPT / Secure Boot Based PC starting from Windows 8.1 and later / Hyper-V Gen 2 / Modern VMware VMs etc.

With Windows 8.1 and Windows Server 2012 R2 or latest Windows Server 2016 or newer GPT / Secure Boot should be (should have been) the norm in environments.

Yet at the time many OEMs and integrators choose for MBR for compatibility with Windows 7 / 2008 R2 and hardware built before ~2014.

For an easier transition to later OS, such as Windows Server 2019, 2022 and upcoming Windows Server 2025 versions, GPT / UEFI is very recommended. Keep in mind Windows Server 2022 and later VBS requires UEFI / GPT.

Karl_WesterEbbinghaus_1-1709058433028.png



Here's the same but for MBR based legacy computers / VMs (Hyper-V Gen 1) and older (unconverted) VMware VMs.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-biosmbr-based-hard-...

In this example the WinRE partition is located “right” to the OS Partition (C drive) for legacy OS / VMs


Convert MBR2GPT / UEFI with MS Tool

The mbr2gpt Conversion Tool is included since Windows 10 1809 / Windows Server 2019.

The tool works great but just for OS drive.

Caveats of MBR2GPT
your hardware / BIOS must be capable must support UEFI / Secure Boot
your dedicated GPU BIOS must UEFI GOP
MBR2GPT will fail if there are too many primary parititions (example OS and 2 or more user formatted data partitions, or OEM Parititions + User Data partitions). This is a technical limitation of MBR. The count of allowed primary partitions with MBR that is lower than with GPT.

If you cannot afford to clean up use named paid 3rd party tools, backup is recommended but never seen this conversion failing with data loss occoured (just saying).


The drawbacks of MBR (imho)

  •  max paritition size is limted to 2 TB
  • less primary partitions allowed
  • no Secure Boot support and theoretically there are still viruses that infect MBR boot sectors, where as I never heard about these adopting GPT and Secure Boot.
  • slower boot up time compared to GPT / UEFI as BIOS needs to emulate "BIOS / IDE mode" etc. This is also measureable in VMs.
  • Secure Boot lays foundation for modern security with fTPM / vTPM, the set of Secured Core features including VBS. MBR based hardware or VMs cannot be secured that low level way.
  • UEFI supports more features such as mouse emulation and get rid of legacy stuff like IDE mode etc. Bootloader for Windows + Linux is digitally signed, whereas MBR allows any bootloader or even rootkits.

As the information dripped in over the time, recently received the feedback that on the matter of 01-2024 LCU patching issues with WinRE the article was not structured enough to provide a clear solution.

Information and guidance from Microsoft on the matter:

Automatic resolution of this issue won't be available in a future Windows update. Manual steps are necessary to complete the installation of this update on devices which are experiencing this error.

Affected platforms:

Client: Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2
Server: Windows Server 2022


What is it about the WinRE security update and why it is failing?

https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22H2#the-january-2024-win...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666


External References:
https://www.csoonline.com/article/1306871/how-to-protect-against-bitlocker-bypassing-vulnerabilities...
Thank you @SusanBradleyGeek.


HOW-TO FIX, Microsoft solution
https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-t...


HOW-TO FIX, Community solutions:

APPROACH 1:

There is also an inofficial guide for this (not tested myself, endorsed, supported by Microsoft)
https://manima.de/2024/01/winre-patching-round-2/

APPROACH 2:

"I've integrated it with Intune and PSADT; it's going very well and we're able to increase the recovery partition sizes for several thousand computers with graceful restarts and detection coming from Intune's application model."

https://github.com/MHimken/WinRE-Customization/blob/main/Patch-WinRE.ps1

Caveat: Please check the code and test before bulk execution
. It reads promising. I do not see a reason why this could not work, too, with Windows Server.

Conclusion:
I am still optimistic Microsoft will withdraw the 01-2024 update and release something improved. For Windows Server 2025 and Windows 11 24H2 I hope that the WinRE partition will be patched, recreated and enlarged to 1 GB to avoid future issues.

Happy patching!

Patching Secure Boot

Next to the situation that resolves around WinRE Patching since January 2024, there is a new vector that requires low level patching and actions

Please consider this article about Secure Boot patching, in addition to the original post. This article itself offers more links to deep dive into the topic.
Please read these carefully, to avoid making your device non-bootable.

Read on why
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/...

 

Read on How-To patching Secure Boot
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revoking-vulnerable-windows-boot-managers...

Learn about the Microsoft timeline and technical dependencies

 https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocati... 

Great reference on Secure Boot: 
https://nbviewer.org/github/microsoft/MSRC-Security-Research/blob/master/presentations/2024_05_Offen...
Thank you @SusanBradleyGeek !

Hi everyone,

after user feedback I looked to improve this article in the following areas
- improved structure

- removed and merged comments
- seperated Secure Boot aspects from the OP
- stronger emphasize on "HOW-TO" solve WinRE and Secure Boot challenges and link to the respective comments

If there is anything unclear still, please let me know.
The initial idea of this posting was rather informational, and later added troubleshooting / remediation instructions did not fit with original layout and intent. 

Hope that this update is helpful finding the right information.