Prevent local administrators from being able to log on in rescue mode (when there are no explicit rescue users defined)
Use this policy to prevent local administrators that are not defined rescue users from logging in to a machine that is running in rescue mode or Windows Safe Mode.
If you set this policy to Enabled, you should add users and groups to the rescue user list by issuing them the rescue user role, or a custom role with the rescue user system right selected.
If you are not joined to a zone (because your computers are not managed by Server Suite), you can enable the group policy, Specify a list of rescue users (when the agent is not joined to a zone), and add users to the rescue user list.
By default, if this policy is set to Disabled or Not Configured, all local administrators are able to log in without multi-factor authentication when the machine is running in rescue or safe mode.