Since the release of Windows 10 21H1, Microsoft now allow users to reset windows and download a clean windows image from ‘the cloud’ via Windows Recovery Environment, without the need for a recovery partition.
Despite password protecting the bios, disabling USB/Network Boot and restricting access to System Settings, we discovered users could access the Windows recovery environment by holding shift and restarting the PC. When in here they could reset the PC to factory settings, using the new ‘cloud download’ option.
Since we haven’t been provided with the Hardware Hashes yet for the new devices, these devices haven’t been added to autopilot, so a reset would allow students to set up the device themselves via the standard OOBE.
Since a lot of the devices have now been configured, i don’t want to spend even longer manually disabling the Windows Recovery Environment on each device, to combat this I’ve put together a small Batch script to automate this via Intune/Endpoint Manager.
To begin you will want to create a batch script with the following.
@echo off reagentc.exe /disable IF %ERRORLEVEL% EQU 0 ( mkdir "C:\WINRE" CD C:\WINRE type nul > winredisabled.txt )
This will disable the recovery agent, and if successful, create a txt file in c:\WINRE, this is used to let Intune know if its run successfully, you can change this path and filename to anything you like.
Save your file with the name DisableWinRE.bat
Create a new batch file with the following
@echo off reagentc.exe /enable
Save this in a folder with the first batch file, and name this EnableWinRE.bat
Packaging for Intune
To deploy this via intune, you can use the Microsoft Win32 Content Prep Tool (Prepare a Win32 app to be uploaded to Microsoft Intune | Microsoft Docs)
Open the content prep tool and select the folder containing your batch files as the source.
Use ‘DisableWinRE.bat’ as the setup file
Choose an output folder, for ease of use you can use the same folder as the 2 batch files.
You will now have a DisableWinRe.intunewin file in your folder.
Deploying via Intune
To deploy this via Intune, open Endpoint Manager head to Apps > Windows > Add > Windows App (Win32)
Select the .intunewin file you created
Add a descriptive name and publisher
For the install command, enter DisableWinRE.bat and EnableWinRE.bat for the uninstall command.
Under Detection rules, choose “manually configure” and choose add
Under ‘Rule Type’ choose file, and enter the directory and file you added in the first batch file.
You can now deploy the ‘app’ to your devices to disable Windows Recovery Environment.
Please note, Intune’s ‘Wipe’ function will likely not work with WinRE disabled, however i’ve not tested this.