How can I stop the Windows Recovery Environment being used as a back door?

Solution 1:

You can use reagentc to disable WinRE:

reagentc /disable

See the Microsoft documentation for additional command-line options.

When WinRE is disabled in this way, the startup menus are still available, but the only option that is available is the Startup Settings menu, equivalent to the old F8 startup options.

If you are carrying out unattended installations of Windows 10, and want WinRE to be disabled automatically during installation, delete the following file from the install image:

\windows\system32\recovery\winre.wim

The WinRE infrastructure is still in place (and can be re-enabled later using a copy of winre.wim and the reagentc command line tool) but will be disabled.

Note that the Microsoft-Windows-WinRE-RecoveryAgent setting in unattend.xml does not appear to have any effect in Windows 10. (However, this might depend on which version of Windows 10 you are installing; I have only tested it on the LTSB branch of version 1607.)

Solution 2:

Use BitLocker, or any other hard drive encryption. It's the only reliable and truly secure way to achieve what you want.

Solution 3:

Bit Locker also works in the case when someone steals your hard drive and use this as his secondary drive in his Pc so that Pc boot with his OS and secondary hard drive as a drive only it does not require any password and if it is not being protected by BitLocker any one can easily explore its contents, Please be carefull trying this because repeating this behaviour cause serious corruption of data.

Always use encryption to prevent this kind of problems. Please read this for further information about disk encryption.

Disk Encryption