What is Windows RE and why it's critical

Windows RE (Recovery Environment) is a built-in tool in Windows operating systems that helps users troubleshoot and fix problems that prevent Windows from starting normally. It provides various tools and options to repair the operating system, such as system restore, startup repair, command prompt, and more. Windows RE can be accessed by booting from a Windows installation media or by pressing a specific key during system startup.

You can check the status of Windows RE via PowerShell:

reagentc /info

It may outputs:

file

If Windows RE is disabled, booting can become difficult and encounter various obstacles in case of disk or Windows corruption. These obstacles may include:

  1. Inability to access the advanced startup options menu
  2. Inability to perform system restore or system image recovery
  3. Inability to use startup repair to fix boot-related issues
  4. Inability to access the command prompt for troubleshooting
  5. Inability to perform a clean install of Windows
  6. Increased likelihood of data loss or corruption due to the lack of recovery options.

So,Windows RE is crucial for reliable Windows operation. It is strongly suggested to always enable Windows RE, no matter if you enabled UWF (Unified Write Filter) or not. Especially for servers!

How to auto enable

To enable Windows RE:

reagentc /enable

However, you may encounter the error message "Windows RE cannot be enabled on a volume with BitLocker Drive Encryption enabled," it means that you need to manually configure Windows RE. This is because BitLocker encrypts the drive and prevents Windows RE from accessing it.

Prepare the new partition for Windows RE

Open a new PowerShell windows with admin. Run the following commands:

diskpart

Now let's shrink a drive. Assume it's D.

select volume D

Now shrink it.

shrink desired=1024 minimum=1024

Right here I'm using 1024MB as the size. It's usually enough for an RE environment. Default RE image is around 500MB.

Now create a new primary partition with specific ID:

create partition primary size=1024 id=de94bba4-06d1-4d40-a16a-bfd50179d6ac
gpt attributes=0x8000000000000001

Now format it:

format fs=ntfs quick label=WinRE

Now assign it so we can copy the recovery file to it:

assign letter=z

Quit Diskpart.

exit

In a normal PowerShell, edit the new drive:

mkdir "Z:\Recovery\WindowsRE" ;

Use the default Windows RE image or build your own

Copy the wim file.

xcopy /H "C:\Windows\System32\Recovery\winre.wim" "Z:\Recovery\WindowsRE"

We used the default Microsoft's image as RE image. Which is not a good practice bacause that image may not contains the necessary drivers and language files.

Before doing that, it is suggested to build your OWN RE image, based on the steps provided by Microsoft:

file

Build your own RE image

And keep this: Windows will also update the RE image!

As doc says:

Boot critical and input device drivers from the full OS environment are added to the new Windows RE image. Windows RE customizations under \Sources\Recovery of the mounted winre.wim are migrated to the new image.

(Perhaps that's why sometimes Windows Update is extreamly slow 🤣)

More details in MS doc: https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference?view=windows-11

Enable Windows RE

Now edit Windows RE settings:

reagentc /disable
reagentc /setreimage /path "Z:\Recovery\WindowsRE"
reagentc /enable

file

Now as you can see, the RE was set successfully.

Optiona: You can clean up the Z drive if you like.

  DiskPart
    select volume z
    remove
    exit

Debug Windows RE

To debug RE, you can check the following settings: (In CMD)

bcdedit /enum {current}

Based on the output, check the RE ID.

file

It should be the same with output from reagentc /info:

file

Now you can check the RE BCD info based on bcdedit.

bcdedit /enum {f62cb951-9075-11ed-a575-bc9f58fd3e09} # <-- Your RE ID.

file

After setting it, you may want to see if Windows RE is working. You can run this to boot into Windows RE for debugging.

reagentc /boottore

Then reboot! Hopefully you will boot to Windows RE!

file

What about giving a PC to others?

If you need to give a computer to someone else, not only do you need to Reimage it -> enter Audit Mode -> inject drivers and updates -> restore to OOBE, but you also need to use dism capture to capture the current system state, create a RE Image, and then flash it to a separate partition to prepare the RE environment. This way, if the computer breaks in the future, the user can directly enter RE to restore the system to the state it was in when they first received the computer.

  • Wipe all disks.
  • Reimage Windows.
  • Enter Audit mode.
  • Activate Windows.
  • Install Windows updates.
  • Install necessary drivers.
  • Restore to OOBE.
  • Use dism to capture current Windows status.
  • Prepare an RE image.
  • Prepare Windows RE environment in an independent drive.

Related posts: Prepare OOBE.

Other check list

Windows RE is only a necessary but insufficient condition to ensure the security and reliability of Windows. If you need your Windows to be more secure, please complete the following checklist:

Virtualization

  • [x] Virtualization technology is enabled.
  • [x] Core isolation is enabled.
  • [x] VBS (Virtualization Based Security) is enabled.

These technologies can help protect the system from malware attacks. Virtualization technology can isolate applications in a virtual environment, preventing them from causing harm to the system. Core isolation can prevent malicious software from accessing the system kernel. VBS can provide advanced virtualization protection.

Secure Boot

  • [x] Secure Boot is enabled.
  • [x] Only trust Windows certificates.

Secure Boot can ensure that only trusted operating systems and drivers are loaded when the system starts, preventing malware from being loaded at startup. Only trusting Windows certificates can ensure that only operating systems and drivers signed by Microsoft can be loaded.

TPM

  • [x] TPM chip is enabled.
  • [x] TPM chip unlocks BitLocker.

TPM chip can help protect the system from hardware attacks. Using TPM chip to unlock BitLocker can ensure that encrypted data can only be accessed when the system is started.

BitLocker

  • [x] BitLocker is enabled.
  • [x] All partitions are encrypted. (Except Windows RE)
  • [x] TPM chip is used for encryption.

BitLocker can help protect the system from data leaks. Encrypting all partitions can ensure that all data is protected. Using TPM chip for encryption can ensure that encrypted data can only be accessed when the system is started.

Firewall

  • [x] Firewall is enabled.
  • [x] Whitelist is used to allow only trusted applications.

Firewall can help prevent unauthorized network access. Using whitelist can ensure that only trusted applications can access the network.

Windows RE

  • [x] Windows RE is enabled.
  • [x] Windows RE has been tested at least once.

Windows RE (Recovery Environment) can help restore the system when it crashes or fails to start. Testing Windows RE can ensure that it works properly and can be used when needed.

UAC

  • [x] UAC is enabled.
  • [x] Default user is low privilege.
  • [x] Desktop brightness is reduced when elevation is required.

UAC (User Account Control) can help prevent unauthorized changes. Using low privilege user by default can ensure that elevation of privilege is only done when necessary. Reducing desktop brightness can remind the user that privilege has been elevated.

Unified Write Filter (Optional)

  • [ ] Unified Write Filter is enabled.
  • [ ] System disk is protected.
  • [ ] Disk persistence is used.

Unified Write Filter can help protect the system from malware attacks. Protecting the system disk can ensure that system files are not changed. Using disk persistence can ensure that data still exists after the system restarts.