question

JULIEN-6006 avatar image
0 Votes"
JULIEN-6006 asked AndrewChick-5221 answered

Edit Permissions on the System Drive in Windows 10 20h2 Build 19042.508

Hi , you got any update about this already known issue please? this issue is very problematic. As others, when trying to remove or edit existing permissions(here the "Modify" right to 'authenticated Users") it deletes all permissions on the drive, so the system becomes unbootable.
It used to work in 1909.

Build is 20H2 19042.508

Here is the powershell i use (doing it with the system account)

 $ACL = Get-ACL -Path "C:\"
 $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\Authenticated Users","Modify","Allow")
 $ACL.RemoveAccessRule($AccessRule)
 $ACL | Set-Acl -Path "C:\"

Can't even see the permission with system account :

47287-acl.jpg



thanks for updating

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

If system unable to boot now, the first thing we usually do is system restore. Make system usable again.
It seems strange that you would be assigning permissions in the file system to authenticated users, especially C:. A more appropriate setting would be Interactive Users or, if you're locking down workstations, read only.
Authenticated Users:
Any user accessing the system through a logon process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.
https://docs.microsoft.com/en-us/previous-versions/technet-magazine/dd637754(v=msdn.10)?redirectedfrom=MSDN
A similar case:
Windows 7: accidentally removed permission for authenticated user for drive d
https://www.sevenforums.com/general-discussion/145806-accidentally-removed-permission-authenticated-user-drive-d.html
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JULIEN-6006 avatar image
0 Votes"
JULIEN-6006 answered TeemoTang-MSFT commented

Thxs for your answer and your help
But I’m an IT professional and I know what I’m doing here.
The issue is that I’m doing that in the workstation mastering process since windows 7 and all windows 10 build since a few years and I never had issue with removing the modify permissions for authenticated users.

The script I’m using (even with power shell command or icacls) is not working only with the last windows 10 build. It seems that ACL’s on the system drive are a bit different from before.

This issue seems to be known

I will open a support case.

Thxs for help again.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You are welcome.
Once resolve problem hope you could share the result with us, we also want to learn something new about this 20H2 version

0 Votes 0 ·
scmsft-7106 avatar image
0 Votes"
scmsft-7106 answered

You need the updated release of 20H2 19042.631
There are unconfirmed reports or acl issues kike this in an earlier version

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewChick-5221 avatar image
1 Vote"
AndrewChick-5221 answered

It looks like this issue is fixed in 21H1 but if like us you have invested loads of time already in an 20H2 image I came up with the following commands to get the same outcome (accepting that the existing default permissions get blown away by the bug anyway). The Adminstrator rights have to come first so you don't lock yourself out (in the same way the removal of the Authenticated Users permission bug does):

icacls C:\ /grant:r "Administrators":(OI)(CI)F
icacls C:\ /grant "Authenticated Users":(OI)(CI)(RX)
icacls C:\ /grant "SYSTEM":(OI)(CI)F

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.