How can I stop the Windows Recovery Environment being used as a back door?

Solution 1:

You can use reagentc to disable WinRE:

reagentc /disable

See the Microsoft documentation for additional command-line options.

When WinRE is disabled in this way, the startup menus are still available, but the only option that is available is the Startup Settings menu, equivalent to the old F8 startup options.

---

If you are carrying out unattended installations of Windows 10, and want WinRE to be disabled automatically during installation, delete the following file from the install image:

\windows\system32\recovery\winre.wim

The WinRE infrastructure is still in place (and can be re-enabled later using a copy of winre.wim and the reagentc command line tool) but will be disabled.

Note that the Microsoft-Windows-WinRE-RecoveryAgent setting in unattend.xml does not appear to have any effect in Windows 10. (However, this might depend on which version of Windows 10 you are installing; I have only tested it on the LTSB branch of version 1607.)

Solution 2:

Use BitLocker, or any other hard drive encryption. It's the only reliable and truly secure way to achieve what you want.