It looks like this issue is fixed in 21H1 but if like us you have invested loads of time already in an 20H2 image I came up with the following commands to get the same outcome (accepting that the existing default permissions get blown away by the bug anyway). The Adminstrator rights have to come first so you don't lock yourself out (in the same way the removal of the Authenticated Users permission bug does):
icacls C:\ /grant:r "Administrators":(OI)(CI)F
icacls C:\ /grant "Authenticated Users":(OI)(CI)(RX)
icacls C:\ /grant "SYSTEM":(OI)(CI)F