Windows Quick Machine Recovery With Microsoft Intune – EMS Route

We all witnessed the incident where Windows devices worldwide got hammered by the AV update that caused Windows to go BSOD. Machine recovery was one of the top things probably the IT admins did post incident to get their endpoints fleet up and running ASAP again to support day to day and all the critical services. The idea of quick machine recovery was surfaced and needed to be addressed at the earliest. Security and Resiliency were two heavy topics that’s Microsoft is working and keep on enhancing the features with.

This is how you can also enable Quick Machine Recovery feature on Windows 11 devices to make them ready and cut the wait times to build machines.

Considerations

• For Remote Remediation to take place, the device should have ethernet connectivity or a pre-configured WiFi. This is important as it requires a steady connection for update/ remediation to complete successfully
• WiFi compatibility – WPA/WPA2 password-based Wi-Fi networks
• As mentioned by Microsoft, this is a best effort feature and may not work for all remediation scenarios.

Compatibility

Windows 11 24H2 with KB5062660

Remediation Process

This consists of two main setting. Cloud and Auto remediation settings enabled as they both work hand in hand during a device crash scenario. Settings can be configured via Intune using Settings Catalog or CSP Mappings.

Cloud Remediation setting will make sure the device to utilise Widows Update service to find a solution during the recovery process. Local recovery will be used when this is disabled.

Auto Remediation setting will make sure the recovery process is automated and if a solution isn’t found on the first attempt, the device will re-try depedning on the re-try intervel settings. Manual intervention requires to continue when this setting is disabled.

Manual intervention to continue when the setting is disabled.

Intune Settings

Settings are shown as below.

Device Settings

Go to System > Recovery > Quick machine recovery to see if the relavent settings has been enabled.

How to Test?

• To check, run below on CMD
  reagentc.exe /getrecoverysettings

• To test, run below command on CMD
  reagentc.exe /SetRecoveryTestmode

• To configure WinRE on the next boot,
  reagentc.exe /BootToRe

• Reboot the device and it will go through the Auto Remediation steps and boots to Windows

Verify Remediation

Settings > Windows Update > Update History to see what upodates has been installed.

Closing

As mentioned previously, this is a critical feature that needs to be strictly considered as it can be a world-wide issue that affects the Windows OS to fail or something local to the device, but either way Quick Machine Recovery can save IT Admin time and less impact to the user productivity.

Also this shows how imprtant you need to have the devices managed via an enterprise grade MDM such as Microsoft Intune to stay on top of Device Resiliance and Security.