Preventing Booting into external USB disk

Hi,

I want to be able to prevent booting through a USB disk.

I know it is possible to gain access through booting using a USB disk where you might have another operating system installed like Linux etc, where it becomes even possible to see all the contents of the hard drive or even erase the Windows Administrator password.

I know that if you press and hold down the shift button when clicking restart you can navigate to UEFI USB boot which then allowed me to boot using the USB disk which had Linux which allowed me to gain complete access to the hard drive and its contents and which would even be possible to remove the password.

Other option possible is holding down the DEL key during boot would also allow me to boot through the USB disk. I want to disable all of that.

So to keep my system completely secure and lockdown, it needs to be impossible to boot through USB disk. How can I achieve this?

- - - Updated - - -

I just found a way to do this:

Code:

New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootim.exe"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootim.exe" -Name "Debugger" -Type "String" -Value "taskill /F /IM bootim.exe" -Force

Question is, how will I bring it back when I want? The reverse of the above?

The key commands listed occur before Windows starts loading so in reality a change in the BIOS would be necessary to disable booting to devices other than the HDD or SSD designated as the Boot/System drive. I always set the boot drive in the BIOS to be the socket on the motherboard. If security is the issue one can set a password in the BIOS to have to be entered before completing the boot process and can even do a more dangerous thing by setting a password to even be able to disable the login password [which is not the same as the Windows login, that come later].

The key commands listed occur before Windows starts loading so in reality a change in the BIOS would be necessary to disable booting to devices other than the HDD or SSD designated as the Boot/System drive. I always set the boot drive in the BIOS to be the socket on the motherboard. If security is the issue one can set a password in the BIOS to have to be entered before completing the boot process and can even do a more dangerous thing by setting a password to even be able to disable the login password [which is not the same as the Windows login, that comes later when Windows starts loading the Registry].