Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected

Topic

New Reply

Two good reports over the weekend about a newly-acknowledged bug in the Win10 1809 upgrade sequence. Günter Born: Windows 10 V1809: Upgrade deactivate
[See the full post at: Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected]

4 users thanked author for this post.

Great Lake Bunyip, Bluetrix, GreatAndPowerfulTech, Fred

Reply | Quote

Replies

Difficult to see why this is an issue for anyone in any circumstances, or even a bug at all:

The bug occurs when the following two conditions are met:
The built-in Administrator account is enabled (it is disabled by default).
There is at least one additional account with Administrator permissions.
https://www.ghacks.net/2019/01/02/windows-10-version-1809-upgrade-could-invalidate-administrator-account/

The account is not disabled when the feature update is installed if there is no other administrator account. …
Personally, I would have said that’s the behavior I expected. (says Günter Born)
https://borncity.com/win/2019/01/02/windows-10-v1809-upgrade-deactivates-build-in-administrator/

Reply | Quote

may break the built-in “Administrator” account, but you probably aren’t affected

Three most assuring words to start your day off with.

1 user thanked author for this post.

Fred

Reply | Quote

The built-in Administrator account was disabled during previous upgrades, unless the installation/upgrade in place was performed under the built-in Administrator account.
Nothing new here and it is not a bug, but done on purpose I believe, for the reasons stated by Woody in the main post, i.e. security enhancement, as this account is normally the only account not subject to UAC, at least on a computer not joined to an Active Directory domain.
Saying that, I generally tend to perform the OS upgrade under the built-in Administrator to avoid potential permissions bugs during the upgrade, but normally this should not be a pre-condition for a successful installation.

3 users thanked author for this post.

JSTechGeek, BobbyB, warrenrumak

Reply | Quote

The first part of this is correct — it’s been documented for years.

The second part is not — the mechanics of the upgrade process is not performed by the user who started the upgrade, so it doesn’t matter what user you’re logged in as.

1 user thanked author for this post.

ch100

Reply | Quote

It matters in the sense that it affects the profile of the user under which the upgrade is performed.

Reply | Quote

I enable the Administrator account for all the machines at my location for when I need to do “admin” things that avoid changing the users desktop or other items like that.  The Administrator account is only used by me when needed and is, of course, password protected.

1) If it disables the Administrator account, can it just be reenabled?

2) What do they mean “break”?

3) If I use the Administrator account to do the upgrade, does the regular user admin account that gets created during setup get disabled or “broken”?

4)  I have renamed some of the Administrator accounts to something else for security purposes, just like I do on my servers.  Do the same bugs apply?

Cheers!!
Willie McClure
“We are trying to build a gentler, kinder society, and if we all pitch in just a little bit, we are going to get there.” Alex Trebek

Reply | Quote

1) Yes.
2) Disabled/Inactivated.
3) No.
4) Same situation.

1 user thanked author for this post.

ch100

Reply | Quote

Wouldn’t it be better to enable the built-in administrator account and password protect it.  Rather than leaving it disabled without a password?

Reply | Quote

I don’t see why. It’s one more password for you to remember/store and for a hacker to guess/crack.

It can’t be enabled without other administrator or physical access, so not a risk if it’s disabled.

Reply | Quote

All of our Win7 domain machines have the Admin enabled and password protected.  This was a carry-over practice from the WinXP endpoints and it’s worked well for us.  Just as the Domain Admin has a password, Endpoints have the Local Admin with a password.  Unfortunately, we will be converting to Win10 this year but the practice will likely continue.  I could’ve sworn there were ways to active the built-in Admin account during an offline state.

Reply | Quote

I believe the best option is to password protect and then disable if you’re able to.  We have a relatively small environment of 180 or so endpoints.  There have been times where an endpoint has lost trust with the Domain and the built-in Admin account is needed to leave and rejoin.  This can also happen when restoring a older image to an endpoint.  I’m sure I’m not alone in this thought, nor am I solely right in my efforts.  There’s always ten ways to accomplish everything in Windows.  Thank you for your feedback, b.

2 users thanked author for this post.

b, JSTechGeek

Reply | Quote

Damian wrote:

There have been times where an endpoint has lost trust with the Domain and the built-in Admin account is needed to leave and rejoin.

Yes, I’ve experienced that a few times. I wouldn’t suggest not having any local admin account available.

1 user thanked author for this post.

JSTechGeek

Reply | Quote

Damian wrote:

I could’ve sworn there were ways to active the built-in Admin account during an offline state.

There are with physical access and the ability to boot from something like Offline Password and Registry Editor on CD/DVD/USB (although not if the system drive has disk encryption with that tool apparently), or Safe Mode.

1 user thanked author for this post.

Damian

Reply | Quote

Microsoft LAPS is a great solution for this and easily deployed.

Reply | Quote

anonymous wrote:

Microsoft LAPS is a great solution for this and easily deployed.

I don’t see how Local Adminstrator Password Solution would prevent the built-in administrator getting disabled during an upgrade, as that’s an expected behavior (which is not password-related).

But isn’t it just for domains with Active Directory anyway? No use for small businesses or home users?

Reply | Quote