How can I stop the Windows Recovery Environment being used as a back door?
You can use
reagentc to disable WinRE:
See the Microsoft documentation for additional command-line options.
When WinRE is disabled in this way, the startup menus are still available, but the only option that is available is the Startup Settings menu, equivalent to the old F8 startup options.
If you are carrying out unattended installations of Windows 10, and want WinRE to be disabled automatically during installation, delete the following file from the install image:
The WinRE infrastructure is still in place (and can be re-enabled later using a copy of
winre.wim and the
reagentc command line tool) but will be disabled.
Note that the
Microsoft-Windows-WinRE-RecoveryAgent setting in
unattend.xml does not appear to have any effect in Windows 10. (However, this might depend on which version of Windows 10 you are installing; I have only tested it on the LTSB branch of version 1607.)
Use BitLocker, or any other hard drive encryption. It's the only reliable and truly secure way to achieve what you want.