Disable Windows Recovery

​

​

<#
.Synopsis
Updates Windows Boot and Recovery options

​

.Description

Updates Windows Boot and Recovery options to prevent any boot options from being launched during the Windows boot. Windows will boot with a blank screen and provide no recovery options,

 

This is one of a series of mitigations to prevent booting into PXE, Kali or Recovery options to perform attacks against the system.

 

UEFI\BIOS - Update Boot order and remove PXE, USB and CD\DVD Boot Options

UEFI\BIOS - Add a complex password to prevent unauthorised changed

Bitlocker - Always encrypt the System drive with Bitlocker or alternative full disk encryption.

Recovery Partition - Remove Recovery Partition from MDT\ConfigMgr disk configuration

 

Bitlocker should be configured with TPM and Pin to prevent LPC (Low Pin Count) Bus sniffing attack

​​

.Version

#>

#disables automatic repair options for Windows
cmd.exe /c "bcdedit.exe /set {default} recoveryenabled no"

​

#disables Windows Error Recovery screen
cmd.exe /c "bcdedit.exe /set {default} BootStatusPolicy IgnoreAllFailures"

​

#disables all UI elements, logo, status, status messages
cmd.exe /c "bcdedit.exe /set {default} bootuxdisabled on"

 

#disables advanced startup options (F8)

cmd.exe /c "bcdedit.exe /set {default} advancedoptions false"

​

#disables advanced startup option (F10)
cmd.exe /c "bcdedit.exe /set {default} optionsedit false"

​​

#sets boot timeout out to zero
cmd.exe /c "bcdedit.exe /timeout 0"

​

​

​