Problemt
I have been challenged a few times with leveraging the ability to remotely wipe devices from Intune for various reasons. While a method to preserve data would be favorable, sometimes an asset is past recovery and clearing data from it is the first priority. Unfortunately, during tests and initial research performing the remote wipe requires the recovery environment to be enabled which is not consistent. It seems that after a recent build the recovery partition is not present but gets created if the system goes through an in-place upgrade.
In the past I have looked at reagentc /info to validate whether or not it is on. If it is disabled, theoretically reagentc /enable should enable the recovery information. This would be great but in order to turn it on, BitLocker must be turned off and once turned on trying to re-enable BitLocker requires disabling the recovery environment again.
Surely there must be a way to enable it without sacrificing full disk encryption?
After digging I found a possible solution:
- Ensure the WinRE is disbaled with
reagentc /disable. - Navigate to c:\Windows\System32\Recovery to find Winre.wim. If this is present, the WinRE will be unable to boot as this file is encrypted.
- In order to enable both to work, a 1 GB (or larger) partition is needed.
- Disk Management can be used to shrink the existing C drive by at least 1 GB.
- From an Admin Command Prompt run enter diskpart.
-
- list disk
- select disk #
- list partition
- select partition #
- set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac
- gpt attributes=0X8000000000000001
-
If for some reason, the system is still using MBR instead of GPT replace steps 5 & 6 with set id=27
These steps should move the Winre.wim file to the newly created Recovery Partition allowing BitLocker to be used while enabling WinRE.
Additional information and possible issues are documented in KB5028997: Instructions to manually resize your partition to install the WinRE update - Microsoft Support.