We may have been here before you and I. Your build has messed up. Partitions have been setup wrong. So not what? Your recovery partition is broken. This causes problems with encryption any much more.
So what do we do? The solutions out there are generally fix the build and rebuild the device. Wow. Intrusive right?
So… What other options are there? Rebuild it of course. Yes, you can do this.
Firstly you need some http/https source to store a few files.
In particular :
- boot.sdi
- Winre.wim
- ReAgent.xml
Wherever you get these from is your choice but these are what are needed.
Now you have them you can rebuild your recovery partition. Chances are the recovery partition is too small – this seems to be the main reason from what I’ve seen so in Intune you can solve this using remediation scripts.
Using a remediation script it will run the script over and over until it detects that everything is okay. You may want to add checks to make sure you don’t end up with a tiny OS partition 😉
Now I’m not going to say this is the best solution out there. I’m sure someone will be all like “oh but you could do this…” etc. but this DOES work.
So… Firstly you need to have a Detection Script. This is easy enough. You can use reagentc and check for the results:
$status2 = reagentc /info
Try {
if ($status2 -match 'Enabled'){
Write-Output "Compliant"
Exit 0
}
Write-Warning "Not Compliant"
Exit 1
}
Catch {
Write-Warning "Not Compliant"
Exit 1
}
So this was easy right? Run a command and get the output. If it returns that WinRE is enabled then it’s ok.
It it’s not OK though most people will tell you to rebuild – but wait a minute : we have Intune at our disposal – so let’s actually fix it. Remediation scripts are the thing here. Detection will find the error and remediation will fix it.
Start-Transcript -Path C:\temp\RemediateWinRE.log
write-host "Rebuilding WinRE"
# Remove recovery files from the boot drive
cd C:\Windows\System32\Recovery
attrib -r -a -s -h *.*
del *.*
#Find the OS Partition
$osdisk = get-partition | where-object Type -eq "Basic"
#Record the partition number
$ospartition = $osdisk.PartitionNumber
#Find the current size
$size = (get-partition -disknumber 0 -partitionnumber $ospartition).Size
#Shrink by 200Mb
$size2 = $size - 209715200
#Shrink OS partition by 200Mb
resize-partition -DiskNumber 0 -PartitionNumber $ospartition -Size $size2
#Find recovery partition
$recoverydisk = get-partition | where-object Type -eq "Recovery"
#Record the partition number
$recoverypartition = $recoverydisk.PartitionNumber
#Delete the recovery partition
Remove-Partition -disknumber 0 -partitionnumber $recoverypartition -confirm:$false
#Create the Diskpart commands (powershell can't create a recovery partition)
$diskpath = "C:\OSInst\BuildLogs\diskpart.txt"
if (-not(Test-Path -Path $diskpath -PathType Leaf)) {
new-item -Path C:\OSInst\BuildLogs\diskpart.txt
}
else {
remove-item -Path $diskpath -Force
new-item -Path C:\OSInst\BuildLogs\diskpart.txt
}
#Don't change indentation here!
$str = @'
select disk 0
create partition primary
format quick fs=ntfs label="Recovery"
assign letter="X"
set id="de94bba4-06d1-4d40-a16a-bfd50179d6ac"
gpt attributes=0x8000000000000001
'@
#Write the Diskpart commands to the file
$str | add-content C:\OSInst\buildlogs\diskpart.txt
#Run the Diskpart commands
diskpart /s C:\OSInst\buildlogs\diskpart.txt
#Create Directories on new partition
new-item -path x: -Name 'Recovery' -type directory -Force
new-item -path x:\Recovery -Name 'WindowsRE' -type directory -Force
#Copy the required files from the local disk
$url1 = ##yourlocation##/boot.sdi"
Invoke-WebRequest -Uri $url1 -OutFile "x:\Recovery\WindowsRE\boot.sdi" -Method Get
$url3 = "##yourlocation##/Winre.wim"
Invoke-WebRequest -Uri $url3 -OutFile "x:\Recovery\WindowsRE\Winre.wim" -Method Get
$url2 = "##yourlocation##/ReAgent.xml"
Invoke-WebRequest -Uri $url2 -OutFile "x:\Recovery\WindowsRE\ReAgent.xml" -Method Get
##Copy to c:\windows\system32\recovery as well
if (-not(Test-Path -Path "C:\windows\system32\recovery\ReAgent.xml" -PathType Leaf)) {
$url2 = "##yourlocation#/ReAgent.xml"
Invoke-WebRequest -Uri $url2 -OutFile "C:\Windows\System32\Recovery\ReAgent.xml" -Method Get
}
else {
remove-item -Path "C:\Windows\System32\Recovery\ReAgent.xml" -Force
$url2 = "##yourlocation##/ReAgent.xml"
Invoke-WebRequest -Uri $url2 -OutFile "C:\Windows\System32\Recovery\ReAgent.xml" -Method Get
}
if (-not(Test-Path -Path "C:\windows\system32\recovery\boot.sdi" -PathType Leaf)) {
copy-item "x:\Recovery\WindowsRE\boot.sdi" -Destination "C:\Windows\System32\Recovery" -Force
}
else {
remove-item -Path "C:\Windows\System32\Recovery\boot.sdi" -Force
copy-item "x:\Recovery\WindowsRE\boot.sdi" -Destination "C:\Windows\System32\Recovery" -Force
}
if (-not(Test-Path -Path "C:\windows\system32\recovery\winre.wim" -PathType Leaf)) {
copy-item "x:\Recovery\WindowsRE\winre.wim" -Destination "C:\Windows\System32\Recovery" -Force
}
else {
remove-item -Path "C:\Windows\System32\Recovery\winre.wim" -Force
copy-item "x:\Recovery\WindowsRE\winre.wim" -Destination "C:\Windows\System32\Recovery" -Force
}
#Set the file attributes on WinrE.wim and boot.sdi
reagentc /setreimage /path X:\Recovery\windowsre
#Enable WinRE
reagentc /enable
write-host "WinRE rebuild complete"
Stop-Transcript
So what does this do? OK. This was based on a script that someone else gave me (Andrew T) but this one works after much trial and error and testing. Essentially it searches for and deletes the recovery partition. Shrinks the OS partition and then it will recreate it correctly and copy the files necessary for it to be a recovery partition and set some gpt attributes so Windows will know that is what it is. Once this has one it’s stuff and a reboot (obviously) happens then the recovery partition will show as ok.
This is not the most graceful of solutions but across multiple tenancies it works! It doesn’t require a rebuild so if this is your problem then have a look at the above. It may help.