Windows – How to stop the Windows Recovery Environment being used as a back door

In Windows 10, the Windows Recovery Environment (WinRE) can be launched by repeatedly cutting power to the computer during the boot sequence. This allows an attacker with physical access to a desktop machine to gain administrative command-line access, at which point they can view and modify files, reset the administrative password using various techniques, and so on.

(Note that if you launch WinRE directly, you must provide a local administrative password before it will give you command line access; this does not apply if you launch WinRE by repeatedly interrupting the boot sequence. Microsoft have confirmed that they do not consider this to be a security vulnerability.)

In most scenarios this doesn't matter, because an attacker with unrestricted physical access to the machine can usually reset the BIOS password and gain administrative access by booting from removable media. However, for kiosk machines, in teaching labs, and so on, measures are usually taken to restrict physical access by, e.g., padlocking and/or alarming the machines. It would be very inconvenient to have to also try to block user access to both the power button and the wall socket. Supervision (either in person or via surveillance cameras) might be more effective, but someone using this technique would still be far less obvious than, e.g., someone attempting to open the computer case.

How can the system administrator prevent WinRE from being used as a back door?

Addendum: if you are using BitLocker, you are already partially protected from this technique; the attacker will not be able to read or modify files on the encrypted drive. It would still be possible for the attacker to wipe the disk and install a new operating system, or to use a more sophisticated technique such as a firmware attack. (As far as I am aware firmware attack tools are not yet widely available to casual attackers, so this is probably not an immediate concern.)