Add/remove users and change user passwords when UWF is used

Kai Solehmainen 26 Reputation points
2020-11-04T09:48:01.157+00:00

We need to allow admin to add/remove normal users and users to change theirs passwords when the UWF system volume is protected by the UWF. Required exclusions of the \Windows\System32\config\SAM and \Windows\System32\config\SECURITY are denied [https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/uwfexclusions] so the whole system volume need to be unprotected.

Currently the Windows 10 Enterprise 2016 LTSB is used but most likely newer LTSB version will be taken into use.

Is there any solution to protect the system volume with the UWF and still
a. admin to add/remove users and
b. users to change their passwords?

UWF could be disabled in case of the admin but not preferred.

Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,941 questions
0 comments No comments
{count} vote

Accepted answer
  1. Sean Liming 4,591 Reputation points
    2020-11-05T01:27:52.42+00:00

    Opening the holes for the registry files is not recommended. When adding and removing users, the operation involves security operations that are best performed when UWF is disabled. There is no change in UWF between Windows 10 Enterprise LTSB 2016 and Windows 10 Enterprise LTSC 2019 in this area.

    A possible solution is to script the operation. The admin adds / deletes a user via a custom program, and the behind the scenes a script could take the information, disable UWF, reboot, make the user change using net.exe and re-enable UWF and reboot the system. Same process could be performed for a User changing a password. I know this is not ideal, but with all the operations that take place, it comes down to the only option.

    Can you share a little more on what the device is or does?

    -Sean Liming

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Kai Solehmainen 26 Reputation points
    2020-11-05T07:01:18.02+00:00

    Thank you for the answer and proposal. We'll need to decide what option is best in our case.

    This is needed for an embedded medical device that requires configurable users for data security and audit log. The UWF is used for ensuring that the device would start normally in the known state after any situation (e.g., abnormal shutdown due the power loss).

    BR
    Kai


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.