8/28/2019

Bitlocker Windows Recovery Environment Error

-->

Ask your administrator to configure Windows Recovery Environment so that you can use BitLocker. The fix, if you're faced with the same problem, is to run through the following steps: Start an elevated command line; Enter DISKPART; Enter LIST VOLUME; Select the 'recovery' volume with SELECT VOLUME. Number is the recovery volume number. As already stated the Windows 8.1 upgrade wipes out the WinRE environment from the recovery partition. If you look in Disk Manager the partition is now empty when under Windows 8 there was content. You can also confirm this by running.

  • Windows RE and BitLocker Device Encryption. Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start.
  • List of products and exact versions or ranges of versions where this message can be seen. Example: ShadowProtect SPX (Windows) - All.
  • Ask your administrator to configure Windows Recovery Environment so that you can use BitLocker. — The Team That Writes Error Messages at Microsoft The only option is to click cancel.
  • As already stated the Windows 8.1 upgrade wipes out the WinRE environment from the recovery partition. If you look in Disk Manager the partition is now empty when under Windows 8 there was content. You can also confirm this by running.
  • Problems enabling Bitlocker on Surface Pro with Windows 8.1. Using a brand new Surface Pro (first generation) out of the box, installed current updates, then 8.1, and any further recommended updates after 8.1 was installed. I've installed a two other things that don't seem connected to the issue: the Cisco Anywhere VPN client and Visual Studio 2013.

Windows Recovery Environment (WinRE) is a recovery environment that can repair common causes of unbootable operating systems. WinRE is based on Windows Preinstallation Environment (Windows PE), and can be customized with additional drivers, languages, Windows PE Optional Components, and other troubleshooting and diagnostic tools. By default, WinRE is preloaded into the Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows Server 2016 installations.

What's new with WinRE for Windows 10?

  • By default, if you install Windows using media created from Windows Imaging and Configuration Designer (ICD), you'll get a dedicated WinRE tools partition on both UEFI and BIOS-based devices, located immediately after the Windows partition. This allows Windows to replace and resize the partition as needed. (If you install Windows by using Windows Setup, you'll get the same partition layout that you did in Windows 8.1.)
  • If you add a custom tool to the WinRE boot options menu, it can only use optional components that are already in the default WinRE tools. For example, if you have a app from Windows 8 that depended on the .NET optional components, you'll need to rewrite the app for Windows 10.
  • If you add a custom tool to the WinRE boot options menu, it must be placed in the SourcesRecoveryTools folder so that it can continue to work after future WinRE upgrades.
  • When adding languages to the push-button reset tools, you'll now need to add the WinPE-HTA optional component.

Tools

WinRE includes these tools:

  • Automatic repair and other troubleshooting tools. For more info, see Windows RE Troubleshooting Features.
  • Push-button reset (Windows 10 for desktop editions , Windows 8.1 and Windows 8 only). This tool enables your users to repair their own PCs quickly while preserving their data and important customizations, without having to back up data in advance. For more info, see Push-Button Reset Overview.
  • System image recovery (Windows Server 2016, Windows Server 2012 R2 and Windows Server 2012 only). This tool restores the entire hard drive. For more info, see Recover the Operating System or Full Server.

In addition, you can create your own custom recovery solution by using the Windows Imaging API, or by using the Deployment Image Servicing and Management (DISM) API.

Entry points into WinRE

Your users can access WinRE features through the Boot Options menu, which can be launched from Windows in a few different ways:

  • From the login screen, click Shutdown, then hold down the Shift key while selecting Restart.
  • In Windows 10, select Start > Settings > Update & security > Recovery > under Advanced Startup, click Restart now.
  • Boot to recovery media.
  • Use a hardware recovery button (or button combination) configured by the OEM.

After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. If your users select a WinRE feature from this menu, the PC restarts into WinRE and the selected feature is launched.

WinRE starts automatically after detecting the following issues:

  • Two consecutive failed attempts to start Windows.
  • Two consecutive unexpected shutdowns that occur within two minutes of boot completion.
  • Two consecutive system reboots within two minutes of boot completion.
  • A Secure Boot error (except for issues related to Bootmgr.efi).
  • A BitLocker error on touch-only devices.

Boot options menu

This menu enables your users to perform these actions:

  • Start recovery, troubleshooting, and diagnostic tools.
  • Boot from a device (UEFI only).
  • Access the Firmware menu (UEFI only).
  • Choose which operating system to boot, if multiple operating systems are installed on the PC.

Note

You can add one custom tool to the Boot options menu. Otherwise, these menus can't be further customized. For more info, see Add a Custom Tool to the Windows RE Boot Options Menu.

Security considerations

When working with WinRE, be aware of these security considerations:

  • If users open the Boot options menu from Windows and select a WinRE tool, they must provide the user name and password of a local user account with administrator rights.
  • By default, networking is disabled in WinRE. You can turn on networking when you need it. For better security, disable networking when you don't need connectivity.

Customizing WinRE

You can customize WinRE by adding packages (Windows PE Optional Components), languages, drivers, and custom diagnostic or troubleshooting tools. The base WinRE image includes these Windows PE Optional Components:

  • Microsoft-Windows-Foundation-Package
  • WinPE-EnhancedStorage
  • WinPE-Rejuv
  • WinPE-Scripting
  • WinPE-SecureStartup
  • WinPE-Setup
  • WinPE-SRT
  • WinPE-WDS-Tools
  • WinPE-WMI
  • WinPE-StorageWMI-Package (added to the base image in Windows 8.1 and Windows Server 2012 R2)
  • WinPE-HTA (added to the base image in Windows 10)

Note The number of packages, languages, and drivers is limited by the amount of memory available on the PC. For performance reasons, minimize the number of languages, drivers, and tools that you add to the image.

Hard drive partitions

When you install Windows by using Windows Setup, WinRE is configured like this:

  1. During Windows Setup, Windows prepares the hard drive partitions to support WinRE.

  2. Windows initially places the WinRE image file (winre.wim) in the Windows partition, in the WindowsSystem32Recovery folder.

    Celebrity ghost stories full episode. Before delivering the PC to your customer, you can modify or replace the WinRE image file to include additional languages, drivers, or packages.

  3. During the specialize configuration pass, the WinRE image file is copied into the recovery tools partition, so that the device can boot to the recovery tools even if there's a problem with the Windows partition.

When you deploy Windows by applying images, you must manually configure the hard drive partitions. When WinRE is installed on a hard drive, the partition must be formatted as NTFS.

Add the baseline WinRE tools image (winre.wim) to a separate partition from the Windows and data partitions. This enables your users to use WinRE even if the Windows partition is encrypted with Windows BitLocker Drive Encryption. It also prevents your users from accidentally modifying or removing the WinRE tools.

Store the recovery tools in a dedicated partition, directly after the Windows partition. This way, if future updates require a larger recovery partition, Windows will be able to handle it more efficiently by adjusting the Windows and recovery partition sizes, rather than having to create a new recovery partition size while the old one remains in place.

To learn more, see Configure UEFI/GPT-Based Hard Drive Partitions or Configure BIOS/MBR-Based Hard Drive Partitions.

Memory requirements

In order to boot Windows RE directly from memory (also known as RAM disk boot), a contiguous portion of physical memory (RAM) which can hold the entire Windows RE image (winre.wim) must be available. To optimize memory use, manufacturers should ensure that their firmware reserves memory locations either at the beginning or at the end of the physical memory address space.

Updating the on-disk Windows Recovery Environment

In Windows 10, the on-disk copy of Windows RE can be serviced as part of rollup updates for the OS. Not all rollup updates will service Windows RE.

Unlike the normal OS update process, updates for Windows RE do not directly serviced the on-disk Windows RE image (winre.wim). Instead, a newer version of the Windows RE image replaces the existing one, with the following contents being injected or migrated into the new image:

  • Boot critical and input device drivers from the full OS environment are added to the new Windows RE image.
  • Windows RE customizations under SourcesRecovery of the mounted winre.wim are migrated to the new image.

The following contents from the existing Windows RE image are not migrated to the new image:

  • Drivers which are in the existing Windows RE image but not in the full OS environment
  • Windows PE optional components which are not part of the default Windows RE image
  • Language packs for Windows PE and optional components

The Windows RE update process makes every effort to reuse the existing Windows RE partition without any modification. However, in some rare situations where the new Windows RE image (along with the migrated/injected contents) does not fit in the existing Windows RE partition, the update process will behave as follows:

  • If the existing Windows RE partition is located immediately after the Windows partition, the Windows partition will be shrunk and space will be added to the Windows RE partition. The new Windows RE image will be installed onto the expanded Windows RE partition.
  • If the existing Windows RE partition is not located immediately after the Windows partition, the Windows partition will be shrunk and a new Windows RE partition will be created. The new Windows RE image will be installed onto this new Windows RE partition. The existing Windows RE partition will be orphaned.
  • If the existing Windows RE partition cannot be reused and the Windows partition cannot successfully be shrunk, the new Windows RE image will be installed onto the Windows partition. The existing Windows RE partition will be orphaned.

Important To ensure that your customizations continue to work after Windows RE has been updated, they must not depend on functionalities provided by Windows PE optional components which are not in the default Windows RE image (e.g. WinPE-NetFX). To facilitate development of Windows RE customizations, the WinPE-HTA optional component has been added to the default Windows RE image in Windows 10.

Note The new Windows RE image deployed as part of the rollup update contains language resources only for the system default language, even if the existing Windows RE image contains resources for multiple languages. On most PCs, the system default language is the language selected at the time of OOBE.

Known Issue

If the GPO 'Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Block Microsoft accounts' is set to enable the policy 'User can’t add or log with Microsoft account', attempting to restore the System in WinRE will fail with the error message 'You need to sign in as an administrator to continue, but there aren't any administrator accounts on this PC.'

This is a known issue and the workaround is to either avoid setting the 'Accounts: Block Microsoft accounts' to 'User can't add or log with Microsoft Account' or set the MDM policy Security/RecoveryEnvironmentAuthentication to 2.

See also

Content typeReferences

Deployment

Customize Windows RE Deploy Windows RE

Operations

Troubleshooting

Add-on tools

Add a Custom Tool to the Windows RE Boot Options Menu Add a Hardware Recovery Button to Start Windows RE Push-Button Reset Overview

Active3 years, 11 months ago

Using a brand new Surface Pro (first generation) out of the box, installed current updates, then 8.1, and any further recommended updates after 8.1 was installed.

I've installed a two other things that don't seem connected to the issue: the Cisco Anywhere VPN client and Visual Studio 2013.

I'd like to enable Bitlocker, but during the verification step, the following error is displayed, with no options to continue:

This PC deosn't support entering a BitLocker recovery password during startup. Ask your administrator to configure Windows Recovery Environment so that you can use BitLocker.

The 'administrator' in this case is me, and I don't:

Dell Windows Recovery Environment

  1. .. understand why this has happened
  2. .. know how to fix the issue, as if it's really necessary to make this change, what would I do?
WiredPrairieWiredPrairie
1742 gold badges2 silver badges10 bronze badges

Bitlocker Recovery Tool Windows 10

3 Answers

This worked well with Windows 10, with a couple of tweaks, swapping steps 5 & 6. You must use the FORMAT command before exiting DISKPART. Also, if like me you have upgraded from 8.1 to Enterprise, to Windows 10 you might have multiple recovery partitions. You can use reagent /info beforehand to check which partition is currently being used. The reagent /enable process failed when I tried to change to an older recovery volume.

  1. Start CMD as Administrator, enter DISKPART
  2. Enter LIST VOLUME
  3. Then select the recovery volume with SELECT VOLUME x where x is the corresponding number of the volume
  4. Enter ASSIGN LETTER=Q (to assign the letter Q:/ to the recovery partition)
  5. Enter FORMAT fs=ntfs label='Recovery' quick override where label='Recovery' is optional and works with any other name as well
  6. Enter EXIT to leave diskpart
  7. Run Robocopy.exe C:WindowsSystem32Recovery Q:RecoveryWindowsRE /copyall /dcopy:t
  8. Run reagentc /setreimage /path Q:RecoveryWindowsRE
  9. Run reagentc /enable
  10. Run reagentc /info to check whether the setup worked, 'WinRe-Status' should be enabled now
  11. Use DISKPART to remove the drive letter previously assigned to the recovery partition. To do that repeat steps 1. to 3. and then enter REMOVE LETTER=Q
Community
QEconomistQEconomist

As already stated the Windows 8.1 upgrade wipes out the WinRE environment from the recovery partition. If you look in Disk Manager the partition is now empty when under Windows 8 there was content.

You can also confirm this by running

This is fixed by by copying the winre.wim file from the C:WindowsSystem32Recovery folder which recreates the WinRE area in the recovery partition. Here are the steps to accomplish this:

  1. In DISKPART assign a drive letter to the recovery partition (I used Q:)
  2. Run Robocopy.exe C:WindowsSystem32Recovery Q:RecoveryWindowsRE Winre.wim /copyall /dcopy:t
  3. Run reagentc /setreimage /path Q:RecoveryWindowsRE
  4. Run reagentc /enable
  5. Use DISKPART to remove the drive letter previously assigned to the recovery partition.

Confirm it works with:

Twisty Impersonator
20.6k15 gold badges70 silver badges105 bronze badges
ArtieArtie

As already stated the Windows 8.1 upgrade wipes out the WinRE environment from the recovery partition. If you look in Disk Manager the partition is now empty when under Windows 8 there was content.

You can also confirm this by running

reagentc /info

This is fixed by by copying the winre.wim file from the C:WindowsSystem32Recovery folder which recreates the WinRE area in the recovery partition. Here are the steps to accomplish this:

  1. In DISKPART assign a drive letter to the recovery partition (I used Q:)
  2. Run Robocopy.exe C:WindowsSystem32Recovery Q:RecoveryWindowsREWinre.wim /copyall /dcopy:t
  3. Run reagentc /setreimage /path Q:RecoveryWindowsRE
  4. Run reagentc /enable
  5. Use DISKPART to remove the drive letter previously assigned to the recovery partition.

Confirm it works with:

reagentc /info

There needs to be an extra step for this method to work. After you assign the drive letter but before exiting diskpart, run:

Bitlocker Recovery Console Windows 7

This reformats the partition and the override allows the partition to be formatted. I had run into this same issue while deploying Windows 8.1 to Surface Pro 3 tablets. The Pro 2s that we have all worked fine but there was something funny with the new 3s.

Bitlocker Recovery Key Windows 10

DarkEthicsDarkEthics

Windows Bitlocker Recovery Key

protected by CommunityOct 12 '15 at 19:41

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged windows-8bitlocker or ask your own question.