Home / server / Questions / 847203
In Process
I say Reinstate Monica
Asked: 2017-04-29 08:44:27 +0800 CST

Enable Password Prompt for Windows Recovery Environment

  • 772

On one of my domain workstations I'm able to access the Windows 7 Recovery Environment (WinRE) without being prompted for a username and password. My research (example) unanimously declares I'm supposed to get the following prompt to login with a local user account immediately after selecting the keyboard input method:

enter image description here

I never get this prompt.

This TechNet forum post by a Moderator confirms I should be prompted to logon and this is not a configurable option:

When using WinRE, Administrative privilege is demanded by design and this cannot be disabled.

Yet without logging in, I'm able to access all of the recovery options, including the Command Prompt, in which I can navigate all of the data on the machine's hard drive.

The only local accounts on the machine are the Administrator and Guest accounts, both which are disabled. The Administrator account has a password set.

I'm booting to WinRE from a USB drive created from Windows 7 Pro OEM System Builder media. It's not a customized WinRE environment. The %USERNAME% variable in the WinRE Command Prompt reports I'm logged in as SYSTEM. The computer in question is a domain member running Windows 7 Pro 64-bit with the latest updates.

The group policy setting Computer Configuration\Windows Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon is Disabled, which means:

Automatic administrative logon is not allowed.

How can I troubleshoot this and require user logon to access WinRE?

windows-7

2 Answers

  1. Check the policy setting (gpedit.msc and/or gpresult /h):

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options: Recovery console: Allow automatic administrative logon

    enter image description here

    enter image description here

    Registry setting: 

    Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\  
Value: SecurityLevel (0 = disabled)

    https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/recovery-console-allow-automatic-administrative-logon

    • 1

  2. Being able to boot from USB or optical drive always means that the data on hard drive is browsable if you have physical access to the machine and the hard drive is not encrypted.

    A standard recovery console can obey the Recovery console: Allow automatic administrative logon = disabled Group Policy (or the registry key), but a recovery system on an external drive doesn't need to care about your domain user privileges or local authentication methods. A recovery system can just access the hard drive completely outside the system. Other tools like ntpasswd or any Linux live distribution does that.

    Therefore, if you want to explicitly prevent users from accessing any recovery environment:

    • Add BIOS / UEFI password.
    • Exclude anything but local hard drive from boot order & boot options.
    • Remove recovery partitions from hard drive.
    • Possibly encrypt the drive (e.g. with BitLocker) if you also want to limit access with a screwdriver.
    • 0