News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected

    Posted on January 2nd, 2019 at 10:43 woody Comment on the AskWoody Lounge

    Two good reports over the weekend about a newly-acknowledged bug in the Win10 1809 upgrade sequence.

    Günter Born: Windows 10 V1809: Upgrade deactivates Build-In Administrator

    Martin Brinkmann: Windows 10 version 1809 upgrade could invalidate Administrator account

    Both articles describe a Japanese TechNet “Network & AD support team” official post that describes how upgrading from 1803 to 1809 may “invalidate” the built-in account called “Administrator.”

    Ends up, there’s very little chance that your system will get bit by the bug, unless you have  manually activated the built-in account called “Administrator.” It’s an elusive beast.

    When you set up a new PC, the installation sequence prompts you to create an administrator account — you probably have one with your name (or the name of the person who set up your machine, or the PC manufacturer’s name) on it. That account has all of the normal “administrator” level permissions.

    At the same time, the installation sequence automatically creates a second account, called “Administrator,” that has all permissions. But the installer hides that account by default.

    Few people enable the account called “Administrator.” It’s considered a security risk — for good reason. You can invoke the genie by playing with a Group Policy, modifying the Computer Management/Local Users and Groups/Users setting, or by a command line. No, I won’t show you how to do it.

    If you’ve never enabled the “Administrator” account, you don’t need to worry about the bug. If you have enabled the “Administrator” account, do yourself a favor and disable it.

    If the only account on your PC with administrator privileges is the one called “Administrator,” the upgrade should go through without killing it, according to the MS Japan post.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected

    This topic contains 13 replies, has 8 voices, and was last updated by

     b 1 week, 5 days ago.

    • Author
      Posts
    • #243676 Reply
    • #243686 Reply

      b
      AskWoody Plus

      Difficult to see why this is an issue for anyone in any circumstances, or even a bug at all:

      The bug occurs when the following two conditions are met:
      The built-in Administrator account is enabled (it is disabled by default).
      There is at least one additional account with Administrator permissions.

      https://www.ghacks.net/2019/01/02/windows-10-version-1809-upgrade-could-invalidate-administrator-account/

      The account is not disabled when the feature update is installed if there is no other administrator account.
      Personally, I would have said that’s the behavior I expected. (says Günter Born)
      https://borncity.com/win/2019/01/02/windows-10-v1809-upgrade-deactivates-build-in-administrator/

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

    • #243692 Reply

      Bluetrix
      AskWoody Plus

      may break the built-in “Administrator” account, but you probably aren’t affected

      Three most assuring words to start your day off with.

      1 user thanked author for this post.
    • #243698 Reply

      ch100
      AskWoody Plus

      The built-in Administrator account was disabled during previous upgrades, unless the installation/upgrade in place was performed under the built-in Administrator account.
      Nothing new here and it is not a bug, but done on purpose I believe, for the reasons stated by Woody in the main post, i.e. security enhancement, as this account is normally the only account not subject to UAC, at least on a computer not joined to an Active Directory domain.
      Saying that, I generally tend to perform the OS upgrade under the built-in Administrator to avoid potential permissions bugs during the upgrade, but normally this should not be a pre-condition for a successful installation.

      3 users thanked author for this post.
      • #243709 Reply

        warrenrumak
        AskWoody Lounger

        The first part of this is correct — it’s been documented for years.

        The second part is not — the mechanics of the upgrade process is not performed by the user who started the upgrade, so it doesn’t matter what user you’re logged in as.

        • This reply was modified 1 week, 6 days ago by
           warrenrumak.
        1 user thanked author for this post.
        • #243868 Reply

          ch100
          AskWoody Plus

          It matters in the sense that it affects the profile of the user under which the upgrade is performed.

    • #243747 Reply

      EspressoWillie
      AskWoody Plus

      I enable the Administrator account for all the machines at my location for when I need to do “admin” things that avoid changing the users desktop or other items like that.  The Administrator account is only used by me when needed and is, of course, password protected.

      1) If it disables the Administrator account, can it just be reenabled?

      2) What do they mean “break”?

      3) If I use the Administrator account to do the upgrade, does the regular user admin account that gets created during setup get disabled or “broken”?

      4)  I have renamed some of the Administrator accounts to something else for security purposes, just like I do on my servers.  Do the same bugs apply?

      Cheers!!
      Willie McClure
      www.datarim.com
      Talk's cheap, takes money to buy whiskey.
      • #243783 Reply

        b
        AskWoody Plus

        1) Yes.
        2) Disabled/Inactivated.
        3) No.
        4) Same situation.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

        1 user thanked author for this post.
    • #243965 Reply

      anonymous

      Wouldn’t it be better to enable the built-in administrator account and password protect it.  Rather than leaving it disabled without a password?

      • #243981 Reply

        b
        AskWoody Plus

        I don’t see why. It’s one more password for you to remember/store and for a hacker to guess/crack.

        It can’t be enabled without other administrator or physical access, so not a risk if it’s disabled.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

    • #243995 Reply

      Damian
      AskWoody Lounger

      All of our Win7 domain machines have the Admin enabled and password protected.  This was a carry-over practice from the WinXP endpoints and it’s worked well for us.  Just as the Domain Admin has a password, Endpoints have the Local Admin with a password.  Unfortunately, we will be converting to Win10 this year but the practice will likely continue.  I could’ve sworn there were ways to active the built-in Admin account during an offline state.

      • #244001 Reply

        Damian
        AskWoody Lounger

        I believe the best option is to password protect and then disable if you’re able to.  We have a relatively small environment of 180 or so endpoints.  There have been times where an endpoint has lost trust with the Domain and the built-in Admin account is needed to leave and rejoin.  This can also happen when restoring a older image to an endpoint.  I’m sure I’m not alone in this thought, nor am I solely right in my efforts.  There’s always ten ways to accomplish everything in Windows.  Thank you for your feedback, b.

        2 users thanked author for this post.
        • #244016 Reply

          b
          AskWoody Plus

          There have been times where an endpoint has lost trust with the Domain and the built-in Admin account is needed to leave and rejoin.

          Yes, I’ve experienced that a few times. I wouldn’t suggest not having any local admin account available.

          Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

          1 user thanked author for this post.
      • #244010 Reply

        b
        AskWoody Plus

        I could’ve sworn there were ways to active the built-in Admin account during an offline state.

        There are with physical access and the ability to boot from something like Offline Password and Registry Editor on CD/DVD/USB (although not if the system drive has disk encryption with that tool apparently), or Safe Mode.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

        • This reply was modified 1 week, 5 days ago by
           b.
        1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: