Tenaka
Feb 12, 20201 min
Disabling Microsoft Windows Recovery Environment is a good idea because it reduces the risk of malicious software being installed on your computer. It also prevents unauthorized access to system files, which could lead to data loss or corruption. Additionally, disabling this feature helps prevent accidental changes to critical system settings that can cause serious problems and even render your computer unusable.
<#
.Synopsis
Updates Windows Boot and Recovery options
.Description
Updates Windows Boot and Recovery options to prevent any boot options from being launched during the Windows boot. Windows will boot with a blank screen and provide no recovery options,
This is one of a series of mitigations to prevent booting into PXE, Kali or Recovery options to perform attacks against the system.
UEFI\BIOS - Update Boot order and remove PXE, USB and CD\DVD Boot Options
UEFI\BIOS - Add a complex password to prevent unauthorised changed
Bitlocker - Always encrypt the System drive with Bitlocker or alternative full disk encryption.
Recovery Partition - Remove Recovery Partition from MDT\ConfigMgr disk configuration
Bitlocker should be configured with TPM and Pin to prevent LPC (Low Pin Count) Bus sniffing attack
.Version
#>
#disables automatic repair options for Windows
cmd.exe /c "bcdedit.exe /set {default} recoveryenabled no"
#disables Windows Error Recovery screen
cmd.exe /c "bcdedit.exe /set {default} BootStatusPolicy IgnoreAllFailures"
#disables all UI elements, logo, status, status messages
cmd.exe /c "bcdedit.exe /set {default} bootuxdisabled on"
#disables advanced startup options (F8)
cmd.exe /c "bcdedit.exe /set {default} advancedoptions false"
#disables advanced startup option (F10)
cmd.exe /c "bcdedit.exe /set {default} optionsedit false"
#sets boot timeout out to zero
cmd.exe /c "bcdedit.exe /timeout 0"