Disable standard user in safe boot mode parameter
Harvester57 opened this issue · comments
An adversary with standard user credentials that can boot into Microsoft Windows using Safe Mode, Safe Mode with Networking or Safe Mode with Command Prompt options may be able to bypass system protections and security functionality. To reduce this risk, users with standard credentials should be prevented from using Safe Mode options to log in.
The following registry entry can be implemented using Group Policy preferences to prevent non-administrators from using Safe Mode options.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SafeModeBlockNonAdmins
REG_DWORD 0x00000001 (1)
Taken from : https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-21h1-workstations
Added in release v1.0.18 and commit 0bf49dc