Azure VM Stuck On Windows Recovery Environment (WinRE) Loop After Patching

  • Updated on Oct 31, 2025
  • Published on Oct 30, 2025
  • 3 minute(s) read
  • AA
 Prev Next

Issue Description

After applying Windows Updates, one or more Azure VMs may fail to boot and enter the Windows Recovery Environment (WinRE) during startup. In this state, the VM may appear as “Stopped” in the Azure portal, and boot diagnostics show the Windows recovery screen.


This issue was observed to occur intermittently after monthly patching cycles, affecting random VMs within the desktop pool.



A screenshot of a computer error AI-generated content may be incorrect.

Root Cause

Based on joint analysis with Microsoft Support, the primary cause appears to be:

  • Windows Update corruption during reboot, leading to incomplete installation of critical updates.

  • BitLocker encryption on the OS disk is preventing normal recovery when startup repair is attempted.

  • In some instances, driver conflicts or pending updates cause the OS loader to fail, leading to recovery mode.

Resolution Steps

Please note: While the process below has led to successful recoveries in most cases, it does not guarantee the successful restoration of the VM. The steps may take some time to complete.

Step 1: Validate VM Status

  1. Log in to the Azure Portal.

  2. Navigate to Virtual Machines → select the affected VM.

  3. Review Boot Diagnostics screenshots to confirm that the VM is stuck in the Windows Recovery Environment.

    • You may see messages like “The operating system couldn't be loaded because a required file is missing or contains errors.”

      A screenshot of a computer error AI-generated content may be incorrect.


    • You may see a prompt for the BitLocker key
      A screenshot of a computer error AI-generated content may be incorrect.



Step 2: Check for BitLocker Encryption (Only if the VM is BitLocker enabled)

  1. Retrieve the BitLocker recovery key:

    • From Azure AD → Devices → select the device → BitLocker Keys.

    • Or from your organization’s Active Directory if stored there.

Note: Without the BitLocker key, the disk cannot be repaired.

Step 3: Create a Repair VM

Use the Azure VM Repair Extension to attach the faulty OS disk to a healthy repair VM for troubleshooting.

  1. Log in to the Azure Portal.

  2. Open Cloud Shell.



  3. Run the commands below. (VMName of the VM that needs to be repaired and the ResourceGroup of the VM that needs to be repaired)

    az account set --subscription <subscription_id>

    az extension add -n vm-repair

    az vm repair create -n <VMName> -g <ResourceGroup> --enable-nested –verbose


    When prompted:

    • Enter Repair VM admin credentials (We use them to log in to the Repair VM)

    • Select "y" to create a public IP (For access)


    • Enter the BitLocker key if the disk is encrypted.

    Once the process completes, a repair VM will be provisioned within your Azure subscription. The affected VM will be recreated with its OS disk attached as a secondary disk to the repair VM to facilitate recovery efforts.


Step 4: Access the Repair VM to attempt VM repair.

  1. Access the Repair VM using the public IP.

  2. Use the Admin credentials provided during the previous steps.

  3. Open Hyper-V, which is installed, and a problem VM is created with the repair VM disk provided in the previous step.

  1. Power on the Problem VM from the Hyper-V.

  2. If prompted for the BitLocker key, provide the key and wait for the unlock.

  1. Choose the continue option on the screen.

  1. Choose Startup Repair on the screen. (If BitLocker Key is prompted, provide the key)

  1. You might see a screen with Windows updates rollback/update.

  2. Leave the VM to process the updates.

  3. Once the process is complete, the VM should be back in boot state.

Step 5: Verify Boot

After repair:

  1. Restart the VM from Hyper-V to confirm the VM is booting successfully.

  2. If prompted, enter the BitLocker key again during the first boot.

Step 6: Swap the OS Disk (If the repair is successful)

If the Problem VM repair is successful, you can replace the corrupted OS disk with a new healthy one:

  1. From Azure, detach the disk attached to the Repair VM and apply the changes.

  2. Go to the original VM in Azure

  3. At disks, swap the OS disk and attach the repaired VM disk.

  1. Start the VM.

  2. Verify the Boot diagnostics screen to confirm the VM is booted. Also, verify the VM status in Watch, which should come to Ready state.

Step 7: Post-Recovery Verification

  • Confirm that users can log in successfully.

  • Validate key services and applications.

Step 8: Cleanup

  • Deallocate the Repair VM created at Step 3.

  • Verify and delete the original VM disk that was replaced with a repaired disk.


Preventive Recommendations

  • Avoid forced reboots during Windows updates.

  • For any business-critical VMs, take the VM snapshots before monthly patching.

  • Store BitLocker keys securely

  • and verify recovery access before encryption.