On one of my domain workstations I'm able to access the Windows 7 Recovery Environment (WinRE) without being prompted for a username and password. My research (example) unanimously declares I'm supposed to get the following prompt to login with a local user account immediately after selecting the keyboard input method:
I never get this prompt.
This TechNet forum post by a Moderator confirms I should be prompted to logon and this is not a configurable option:
When using WinRE, Administrative privilege is demanded by design and this cannot be disabled.
Yet without logging in, I'm able to access all of the recovery options, including the Command Prompt, in which I can navigate all of the data on the machine's hard drive.
The only local accounts on the machine are the Administrator and Guest accounts, both which are disabled. The Administrator account has a password set.
I'm booting to WinRE from a USB drive created from Windows 7 Pro OEM System Builder media. It's not a customized WinRE environment. The %USERNAME% variable in the WinRE Command Prompt reports I'm logged in as SYSTEM. The computer in question is a domain member running Windows 7 Pro 64-bit with the latest updates.
The group policy setting Computer Configuration\Windows Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon is Disabled, which means:
Automatic administrative logon is not allowed.
Best Answer
Check the policy setting (gpedit.msc and/or gpresult /h):
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options: Recovery console: Allow automatic administrative logon
Registry setting:
https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/recovery-console-allow-automatic-administrative-logon