top of page

Disable Windows Recovery

Disabling Microsoft Windows Recovery Environment is a good idea because it reduces the risk of malicious software being installed on your computer. It also prevents unauthorized access to system files, which could lead to data loss or corruption. Additionally, disabling this feature helps prevent accidental changes to critical system settings that can cause serious problems and even render your computer unusable.

<# .Synopsis Updates Windows Boot and Recovery options


Updates Windows Boot and Recovery options to prevent any boot options from being launched during the Windows boot. Windows will boot with a blank screen and provide no recovery options,

This is one of a series of mitigations to prevent booting into PXE, Kali or Recovery options to perform attacks against the system.

UEFI\BIOS - Update Boot order and remove PXE, USB and CD\DVD Boot Options

UEFI\BIOS - Add a complex password to prevent unauthorised changed

Bitlocker - Always encrypt the System drive with Bitlocker or alternative full disk encryption.

Recovery Partition - Remove Recovery Partition from MDT\ConfigMgr disk configuration

Bitlocker should be configured with TPM and Pin to prevent LPC (Low Pin Count) Bus sniffing attack




#disables automatic repair options for Windows cmd.exe /c "bcdedit.exe /set {default} recoveryenabled no"

#disables Windows Error Recovery screen cmd.exe /c "bcdedit.exe /set {default} BootStatusPolicy IgnoreAllFailures"

#disables all UI elements, logo, status, status messages cmd.exe /c "bcdedit.exe /set {default} bootuxdisabled on"

#disables advanced startup options (F8)

cmd.exe /c "bcdedit.exe /set {default} advancedoptions false"

#disables advanced startup option (F10) cmd.exe /c "bcdedit.exe /set {default} optionsedit false"

#sets boot timeout out to zero cmd.exe /c "bcdedit.exe /timeout 0"

5 views0 comments


Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page