so there are two other ways to set that

you can use cloud-init  cloudbase solutions provide cloudbase-init for windows to do the same
thing as cloud-init or glean on linux.

https://cloudbase.it/cloudbase-init/

the other way is to install the qemu guest agent in the the windows image.

your correct that if you cant modify the windows image to include any agent (runtime (qemu) or first-boot (cloudbase-init))
then file injection based password setting is the final option but its not the only one.

openstack publishes a image guide for how to create image to use with openstack https://docs.openstack.org/image-guide/

and as part of that we direct opertors to use the cloud tooling produced by cloudbase

https://docs.openstack.org/image-guide/obtain-images.html#microsoft-windows

in the image requirement section we also call out tha tcloud image are expected to process user-data
https://docs.openstack.org/image-guide/openstack-images.html#process-user-data-and-other-metadata-cloud-init
so that the password among other things can be set in a portable way across cloud plathforms.

while you can use iamge that dont conform to this gudie, it still documents the best practice for operators and users
to follow to ensure a good end to end experince. it sound like the windows image you mange dont follow those recommendations.

the file injection code path should eventually be removed form nova so long term keeping it for
this use case when it does not work in a bunch of configurations i.e. booting from a cinder volume is
not a permanent solution.

even for windows guest its generally recommend to use x509 cert instead of passwords for remote management
the admin password is really for a VDI workflow where you would expect someone to connect to the vm via the
instance console. This is not the primary workflow that nova was desgiend for as the console is really for debuging
but its a supproted one and pretty common one if you are using spice too have a richer console experince.

note that we also have a write once mechanic where by a first boot agent can generate an admin password withing the guest
and post that back to the metadta api to save it to the nova db. that was specificaly added for cloudbase-init if i recall
and it only works if you have a x509 or ssh keypair assocated with the vm as that is used to encypet/decypt it