How do SafeOS updates work?

Question

I am getting really confused with SafeOS updates from Microsoft. As part of the latest Yellowkey update, Microsoft released the latest cumulative update and was meant to fix the issue. I checked some machines and noticed they were still vulnerable but noticed that their WinRE version wasnt the same as the OS version. I then found out about SafeOS patches which seem to come down through windows updates sometimes, but not if you are using autopatch in Intune. My understanding is that safeOS patches deploy winre and winpe updates. How are these deployed and how can they be tracked?

Answer 1

Hello

WinRE is essentially a standalone, highly compressed operating system stored as a file named winre.wim within a hidden partition. Because it is serviced independently from the main OS via SafeOS Dynamic Updates, its build version will inherently differ from the primary Windows build displayed in your management portal. In modern Intune Autopatch environments, Microsoft deploys these SafeOS payloads concurrently with standard monthly Quality Updates, attempting to patch both environments in the same servicing window.

The primary reason your devices remain vulnerable despite receiving recent cumulative updates is a physical space limitation on the hidden recovery partition. To successfully apply a SafeOS update, the Windows update engine must extract the winre.wim file, inject the new security binaries, and repackage it. If the partition lacks the requisite free space to handle this extraction, the WinRE update will fail, often generating a 0x80070643 error in local update logs, while the main OS update successfully installs and deceptively reports as fully compliant in Intune.

Tracking and verifying these updates requires inspecting the offline image directly using Microsoft's official script methodology. This involves running the reagentc /info command to locate the active recovery partition, then using the Deployment Image Servicing and Management tool to mount the winre.wim file to a temporary local folder. Mounting temporarily unpacks the offline file system so you can check the exact build version of Windows\System32\winpeshl.exe, which is the core executable responsible for launching the recovery interface. If this file version is outdated, the official remediation is to deploy Microsoft's supported partition extension script to shrink your primary OS drive slightly and expand the recovery partition, ensuring the SafeOS patch can successfully extract and install during the next update cycle.

Hope this answer has brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

VPHAN

Answer 2

Safe OS / WinRE servicing has three key pieces:

1. How WinRE is serviced

• WinRE is not updated by the regular OS cumulative update alone.
• WinRE is serviced by:
  • The servicing stack update (SSU) that is part of a cumulative update, and
  • A Safe OS Dynamic Update package.
• Applying the SSU and then the Safe OS Dynamic Update is the supported way to ensure WinRE is updated.
• Because of this, the WinRE binaries and version can differ from the main OS build; what matters is that the correct Safe OS Dynamic Update has been applied.

2. What Safe OS Dynamic Updates do

• Safe OS Dynamic Updates make improvements to the Windows recovery environment (WinRE) and the “Safe OS” used during recovery/upgrade.
• For Windows 10 and Windows 11, Microsoft publishes Safe OS Dynamic Updates (for example, KB5069340, KB5072542, KB5073933) that specifically state they update WinRE.
• These updates are used to fix WinRE issues (for example, WinRE not starting after a previous Safe OS update) and to deliver changes such as Secure Boot certificate updates.

3. How Safe OS / WinRE updates are deployed and tracked

Deployment paths

• Windows Update
  • Safe OS Dynamic Updates are available via Windows Update and are downloaded and installed automatically on supported devices.
  • For example, KB5069340 and KB5072542 state that they are available through Windows Update and install automatically.
• Microsoft Update Catalog / manual deployment
  • The same Safe OS Dynamic Updates are also published as standalone packages in the Microsoft Update Catalog.
  • For WinRE specifically, Microsoft documents a manual path: download the Safe OS Dynamic Update package and then manually add it to WinRE using the documented “Add an update package to Windows RE” process.
  • This is the supported method when managing images or when automatic delivery does not apply (for example, offline media or controlled servicing scenarios).
• Installation media / upgrade scenarios
  • During setup or media-based deployment, Dynamic Update can pull Safe OS packages to update WinRE in the media. This is covered under the guidance to update Windows installation media with Dynamic Update.

Because the context provided does not describe Intune Autopatch behavior, only the general servicing model can be stated: if a device does not receive the Safe OS Dynamic Update through its configured update channel, WinRE will not be fully serviced even if the OS cumulative update is present.

Tracking WinRE / Safe OS state

1. Checking WinRE version

• Microsoft provides a PowerShell script GetWinReVersion.ps1 in multiple Safe OS KBs (for Windows 10 and Windows 11) to determine the installed WinRE version.
• The script:
  • Uses reagentc /info to find the WinRE location.
  • Mounts winre.wim to a temporary directory (for example, C:\mnt) using DISM.
  • Reads the version information from Windows\System32\winpeshl.exe inside the mounted image.
  • Outputs the WinRE version and then unmounts and cleans up the mount directory.
• Running this script with administrative privileges on target machines allows tracking which WinRE version is installed and verifying whether a given Safe OS Dynamic Update has been applied.

2. Tracking Safe OS Dynamic Updates themselves

• Safe OS Dynamic Updates are published as KBs (for example, KB5069340, KB5072542, KB5073933) and can be tracked like other updates:
  • Via Windows Update history on the device.
  • Via update management tools that report installed KBs.
• For manual servicing of WinRE (for example, on images or when using the Update Catalog), the process documented under Add an update package to Windows RE is used to apply and thus track which Safe OS package has been injected.

3. Checkpoint cumulative updates and WinRE

• Checkpoint cumulative updates do not change the WinRE servicing model.
• WinRE still requires:
  • The servicing stack update from a cumulative update, and
  • The Safe OS Dynamic Update.
• Applying both is the only way to ensure WinRE is serviced; checkpoint cumulative updates do not replace the need for Safe OS Dynamic Updates.

In practice, to ensure machines are not left vulnerable due to outdated WinRE:

• Confirm that the relevant Safe OS Dynamic Update KBs for the OS version have been deployed (via Windows Update or manually from the Update Catalog).
• Use the GetWinReVersion.ps1 script to verify WinRE version on representative devices.
• For custom images or controlled environments, follow the documented process to add Safe OS update packages directly to WinRE.

---

References:

• Checkpoint cumulative updates and Microsoft Update Catalog usage
• KB5073933: Safe OS Dynamic Update for Windows 10, versions 21H2 and 22H2: January 13, 2026
• KB5072542: Safe OS Dynamic Update for Windows 10, versions 21H2 and 22H2: December 9, 2025
• KB5069340: Safe OS Dynamic Update for Windows 10, versions 21H2 and 22H2: November 11, 2025
• KB5067016: Safe OS Dynamic Update for Windows 10, version 1809 and Windows Server 2019: October 14, 2025
• KB5067039: Safe OS Dynamic Update for Windows 11, version 24H2 and 25H2, and Windows Server 2025: October 14, 2025
• Safe OS Dynamic Update for Windows 10, version 2004 and 20H2: November 10, 2020