I'm working with a security template to accomplish some pre-defined security settings to be applied to multiple systems. (This is Windows 10 IoT Enterprise - target is an embedded system.)

But looking at the INF file, it appears that the registry security settings are specified by SID instead of principal name. How can this translate successfully to multiple systems?

Is there something I'm missing? Maybe misreading the INF file?

Thanks in advance,

- - - Updated - - -

So, far, the only way I can find to make this work is to manually edit the template (INF file) after creating it. I look for instances of SID's that refer to existing local principals and replace those with some delimited token (like "{{user1}}"). Then, before applying the template on a target device, I use a script to search for those tokens, look up the corresponding SID's, and replace the tokens in the INF file.

Has anyone else had to figure out ways to handle this? What processes/mechanisms have you landed on?

What's especially weird is that, everywhere I can find online, security templates are promoted in whole as something to be created and then applied to multiple targets. Yet, if they really have this non-transferability feature, by making use of local SID's, one would think there would be warnings about that in the various documents and HOWTO's. But I don't see anything about that.

I also can't find any detailed specification of the various kinds of settings formats in the security INF file. For example, this is rather cryptic:
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)(A;CI;KR;;;S-1-15-2-1)(A;OICI;KA;;;<some SID>)"
If there was a full specification of the format, maybe there's a way to replace "<some SID>" with "<some indicator that says get the SID for this named principal>".