Guidance for Windows Recovery partition (WinRE) patching and why you would need it

MVP


Windows Client and Server should have this WinRE Partition.


You want to enlarge the C (OS Partition) in a VM and WinRE partition is in the way. The most common advice is to delete the WinRE partition. And this is a bad advice imho.

The WinRE partition enables you for different to access different options including uninstalling Updates *pre-boot* that prevent a system startup. This doesn't happen very often but it can happen.
This feature has been added to WinRE starting with Windows Server 2022, and Windows 10 22H2 / Windows 11 22H2, or newer. It is quite unknown, though.

 

You can do more like direct UEFI access, and troubleshooting
GPT / UEFI required and recommended anyway for both Windows Server and Client.



The culprit of the position can be explained. WinRE should located right to the C partition. 

 

If you find that your WinRE it is located left of C it has been installed by a bugged release (old ISO). I am sure it was Windows Server 2019 when we noticed that. Aka Windows 10 1809. See below why the certainty. 



When installing Windows or especially Windows Server always use the lastest ISO for fixes like this or for in-place upgrades. 

 

There is no such updated ISO for Windows Server 2016, very unfortunately. 

They started patching them on a monthly basis with Windows Server 2019. You can access your latest ISOs either via my.visualstudio.com (Dev / Test use only), or admin.microsoft.com for VLSC or CSP production use.



There could be more than two WinRE Partitions to the right of the C parition

 

This often happened when the existing could not be enlarged during in-place upgrade. 

Maybe also a Bug. Haven't seen this long time. It was common before Windows 10 1809.



Patching Windows RE is important

There is a 2024 CVE that needs to addressed. References:
https://www.csoonline.com/article/1306871/how-to-protect-against-bitlocker-bypassing-vulnerabilities...
Thank you @Susan Bradley.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666


Patching Secure Boot is important, too

Read on why and how-to,
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/...



Relocate WinRE partition

A WinRE Partition left of C (OS Partition) makes no sense as Windows still may not move partitions to the right or left (while technical possible). Windows can only shrink Partitions

As such I don't get how one can at all shrink C (to the right only).

Mind that if you change / delete WinRE partitions you need to inform Windows about it via reagentc.exe

These are tools you have at hands:

 

  • Windows Diskpart
  • Settings App > Storage Settings > Advanced Storage Settings > Disks and Volumes
    Windows 10 22H2 / Windows 11 22H2 / Windows Server 2022 or newer.

 

  • diskmgr.mmc all legacy OS
    Windows Key + X > Disk Management 

 

  • Trusted 3rd party tool for Home Use (Windows 10 / 11) or paid for Windows Server use:
    AOMEI Partition Assistant
    Minitools Partition Wizard (Free)

Formerly recommended Minitools Partition Wizard but they now have a paywall. If you are ok I would still recommend it. These can do everything!

 

Acronis Partition Wizard isn't nice too old code and slow. Not optimized for SSD / NVMe. 

 

Both recommendable tools are available through winget. 



Bonus: Use Paritioning tools for Windows Server / Expanding WinRE / Resize OS Drive

  1. Create a PAWS VM Client or Server on Azure Stack HCI, Azure, Hyper-V, VMware etc.
  2. Buy the Tool (aquire a license, required for Windows Server) 
  3. Install the license on the PAWS
  4. Shutdown affected VM
  5. Attach affected virtual disk to the PAWS VM, do the resize job
  6. Attach modified disks back to the original VM

Pro: easy and licensing costs savyy

Cons: Downtime and manual task

Hope this is helpful to you. Appreciate your likes, spreading the word. 

5 Replies

For clarification of the 


"WinRE should located right to the C partition." 

Let's have a look at the default layout for GPT / Secure Boot Based PC starting from Windows 8.1 and later / Hyper-V Gen 2 / Modern VMware VMs etc.

With Windows 8.1 and Windows Server 2012 R2 or latest Windows Server 2016 or newer GPT / Secure Boot should be (should have been) the norm in environments.

Yet at the time many OEMs and integrators choose for MBR for compatibility with Windows 7 / 2008 R2 and hardware built before ~2014.

For an easier transition to later OS, such as Windows Server 2019, 2022 and upcoming Windows Server 2025 versions, GPT / UEFI is very recommended. Keep in mind Windows Server 2022 and later VBS requires UEFI / GPT.

Karl_WesterEbbinghaus_1-1709058433028.png



Here's the same but for MBR based legacy computers / VMs (Hyper-V Gen 1) and older (unconverted) VMware VMs.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-biosmbr-based-hard-...

In this example the WinRE partition is located “right” to the OS Partition (C drive) for legacy OS / VMs


Convert MBR2GPT / UEFI with MS Tool

The mbr2gpt Conversion Tool is included since Windows 10 1809 / Windows Server 2019.

The tool works great but just for OS drive.

Caveats of MBR2GPT
your hardware / BIOS must be capable must support UEFI / Secure Boot
your dedicated GPU BIOS must UEFI GOP
MBR2GPT will fail if there are too many primary parititions (example OS and 2 or more user formatted data partitions, or OEM Parititions + User Data partitions). This is a technical limitation of MBR. The count of allowed primary partitions with MBR that is lower than with GPT.

If you cannot afford to clean up use named paid 3rd party tools, backup is recommended but never seen this conversion failing with data loss occoured (just saying).


The drawbacks of MBR (imho)

  •  max paritition size is limted to 2 TB
  • less primary partitions allowed
  • no Secure Boot support and theoretically there are still viruses that infect MBR boot sectors, where as I never heard about these adopting GPT and Secure Boot.
  • slower boot up time compared to GPT / UEFI as BIOS needs to emulate "BIOS / IDE mode" etc. This is also measureable in VMs.
  • Secure Boot lays foundation for modern security with fTPM / vTPM, the set of Secured Core features including VBS. MBR based hardware or VMs cannot be secured that low level way.
  • UEFI supports more features such as mouse emulation and get rid of legacy stuff like IDE mode etc. Bootloader for Windows + Linux is digitally signed, whereas MBR allows any bootloader or even rootkits.
There is also an inofficial guide for this (not tested myself, endorsed, supported by Microsoft)
https://manima.de/2024/01/winre-patching-round-2/
Microsoft has acknowledged problems with the installation of the security update for WinRE and here is their guidance (as of today)
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22H2#the-january-2024-win...

As of late, I feel the frustration of customers with the still unresolved issue of the 01-2024 CU KB5034441 increasing.

Checking a customer's Azure Update Manager views today, it is clearly ruining all stats.
Quite a negligible problem, if it wasn't a security related hotfix. 

No one is really looking into patching thousands of Windows Servers and Clients, manually.

This script - found in the patchmanagement.org run by "Patchlady" @Susan Bradley community prove to be worth the "membership".

In fact this script could be a one stop shop.

"I've integrated it with Intune and PSADT; it's going very well and we're able to increase the recovery partition sizes for several thousand computers with graceful restarts and detection coming from Intune's application model."

https://github.com/MHimken/WinRE-Customization/blob/main/Patch-WinRE.ps1

Please check the code and test before bulk execution. It reads promising. I do not see a reason why this could not work, too, with Windows Server.

I am still optimistic Microsoft will withdraw the 01-2024 update and release something improved.

For Windows Server 2025 and Windows 11 24H2 I hope that the WinRE partition will be patched and recreated and enlarged to 1 GB to avoid future issues.

Happy patching!

@Aria Carley @Rob Hindman