Blocking recovery...and safe mode RRS feed

  • Question

  • I was told on by an independent advisor to post here.  Forgive me for not really being an IT.

    Would this:

    bcdedit /set {globalsettings} advancedoptions true

    Take care of these as well?

    bcdedit /set {default} recoveryenabled No
    bcdedit /set {default} bootstatuspolicy ignoreallfailures  


    How would I reverse the ingnoreallfailures  above?

    Is the cmd prompt that I can access during failures and during boot an elevated command prompt?


    Has anyone tired this with success to block safe mode in windows 10 with the following:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System

    SafeModeBlockNonAdmins = 1

    Not sure, but this may not be there.  Rathat, I may have to create my own DWORD.


    Sunday, November 10, 2019 4:36 PM

All replies

  • What is the purpose in blocking recovery and safe mode?


    1) making a backup image or clone:

    (Aoemi, Acronis, EaseUS, Macrium, Paragon, etc.)

    2) deleting the recovery partition

    3) An alternative is to disable recovery using command line

    Reagentc /disable


    Please remember to vote and to mark the replies as answers if they help.

    Sunday, November 10, 2019 6:37 PM
  • Thanks for the reply

    so Reagentc /disable

    covers (i.e. knocks out) all of the bcdedit stuff, making them superfluous, correct?

    Any takers on the safe mode question?  How to block on Win 10? 

    Thanks again for the reply.

    Tuesday, November 12, 2019 12:53 AM
  • reagentc /disable should block safe mode.

    Run the command and then attempt to get into safe mode.

    To enable safe mode:  reagentc /enable

    What is the purpose of the block?

    Tuesday, November 12, 2019 4:40 AM
  • I think I found out how to block safe mode, which is just for security reasons.

    Would you please tell me if reagentc /disable also blocks all of the bcdedit stuff...Thanks.

    Tuesday, November 12, 2019 4:55 PM
  • There are many bcdedit commands and they can be ran when reagentc is disabled:

    C:\WINDOWS\system32>bcdedit /?

    BCDEDIT - Boot Configuration Data Store Editor

    The Bcdedit.exe command-line tool modifies the boot configuration data store.
    The boot configuration data store contains boot configuration parameters and
    controls how the operating system is booted. These parameters were previously
    in the Boot.ini file (in BIOS-based operating systems) or in the nonvolatile
    RAM entries (in Extensible Firmware Interface-based operating systems). You can
    use Bcdedit.exe to add, delete, edit, and append entries in the boot
    configuration data store.

    For detailed command and option information, type bcdedit.exe /? <command>. For
    example, to display detailed information about the /createstore command, type:

         bcdedit.exe /? /createstore

    For an alphabetical list of topics in this help file, run "bcdedit /? TOPICS".

    Commands that operate on a store
    /store          Used to specify a BCD store other than the current system default.
    /createstore    Creates a new and empty boot configuration data store.
    /export         Exports the contents of the system store to a file. This file
                    can be used later to restore the state of the system store.
    /import         Restores the state of the system store using a backup file
                    created with the /export command.
    /sysstore       Sets the system store device (only affects EFI systems, does
                    not persist across reboots, and is only used in cases where
                    the system store device is ambiguous).

    Commands that operate on entries in a store
    /copy           Makes copies of entries in the store.
    /create         Creates new entries in the store.
    /delete         Deletes entries from the store.
    /mirror         Creates mirror of entries in the store.

    Run bcdedit /? ID for information about identifiers used by these commands.

    Commands that operate on entry options
    /deletevalue    Deletes entry options from the store.
    /set            Sets entry option values in the store.

    Run bcdedit /? TYPES for a list of datatypes used by these commands.
    Run bcdedit /? FORMATS for a list of valid data formats.

    Commands that control output
    /enum           Lists entries in the store.
    /v              Command-line option that displays entry identifiers in full,
                    rather than using names for well-known identifiers.
                    Use /v by itself as a command to display entry identifiers
                    in full for the ACTIVE type.

    Running "bcdedit" by itself is equivalent to running "bcdedit /enum ACTIVE".

    Commands that control the boot manager
    /bootsequence   Sets the one-time boot sequence for the boot manager.
    /default        Sets the default entry that the boot manager will use.
    /displayorder   Sets the order in which the boot manager displays the
                    multiboot menu.
    /timeout        Sets the boot manager time-out value.
    /toolsdisplayorder  Sets the order in which the boot manager displays
                        the tools menu.

    Commands that control Emergency Management Services for a boot application
    /bootems        Enables or disables Emergency Management Services
                    for a boot application.
    /ems            Enables or disables Emergency Management Services for an
                    operating system entry.
    /emssettings    Sets the global Emergency Management Services parameters.

    Command that control debugging
    /bootdebug      Enables or disables boot debugging for a boot application.
    /dbgsettings    Sets the global debugger parameters.
    /debug          Enables or disables kernel debugging for an operating system
    /hypervisorsettings  Sets the hypervisor parameters.

    Command that control remote event logging
    /eventsettings  Sets the global remote event logging parameters.
    /event          Enables or disables remote event logging for an operating
                    system entry.


    Please remember to vote and to mark the replies as answers if they help.

    Tuesday, November 12, 2019 5:00 PM
  • Thanks so much for the reply.

    I'm not such an expert and realize that I worded my question incorrectly.

    What I meant was that if it set Reagentc /disable, removing system restore, command prompt, startup repair, and system image recovery...

    Would there even be a need to set the following 3 commands:

    1. bcdedit /set {globalsettings} advancedoptions false

    2.  bcdedit /set {default} recoveryenabled No

    3. bcdedit /set {default} bootstatuspolicy ignoreallfailures

    Thanks again for your help.

    Wednesday, November 13, 2019 1:51 AM
  • The bcdedit commands in the above post I've rarely used unless there was a problem with automatic repair:

    Maybe someone else can comment more on the specific questions.

    When there is no recovery on the computer there are other options:

    For example recovery can often be performed with a bootable Windows 10 iso.

    Or if a backup image had been made it often can be restored.

    Wednesday, November 13, 2019 8:35 AM
  • A better way to block safe mode: encrypt the disk using bitlocker if you have a device with TPM chip.

    From then on, only someone with the bitlocker recovery password may enter safe mode. Non-Admins wouldn't be able to get it.

    Thursday, November 14, 2019 2:50 PM
  • Thanks to you both.

    I did a bit of digging and found that this may do the trick:

    bcdedit /deletevalue {current} recoverysequence
    bcdedit /set {bootmgr} bootems off
    bcdedit /set {bootmgr} advancedoptions off
    bcdedit /set {bootmgr} optionsedit off
    bcdedit /set {bootmgr} recoveryenabled off
    bcdedit /set {current} bootems off
    bcdedit /set {current} advancedoptions off
    bcdedit /set {current} optionsedit off
    bcdedit /set {current} bootstatuspolicy IgnoreAllFailures

    bcdedit /set {current} recoveryenabled off

    Just three more (quick) questions:

    1)  What is the difference between Reagentc /disable, and Reagentc.exe /disable ?

    2) If I enter all of the above bcdedit commands, would I have to do each one individually, pressing enter afterward -- then doing the next?  Or is the a way of doing them all at once.

    3)  They all need an elevated cmd prompt, right?

    Thanks again.

    Thursday, November 14, 2019 9:22 PM
  • Hi,


    1. Disables any active Windows RE image that is mapped to the online image. For example:

        Reagentc /disable


    For your reference:


    2. Please press “Enter” after you type each command.




    Hope above information can help you.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, November 18, 2019 7:41 AM
  • Thank you!
    Tuesday, November 19, 2019 1:41 AM
  • Hi,


    Was your issue solved?


    If the reply helped you, please remember to mark it as an answer.


    If no, please reply and tell us the current situation in order to provide further help.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, November 19, 2019 6:32 AM