Set LocalAccountTokenFilterPolicy to 1 via PowerShell

Posted on by

Ansible/Packer over WinRM can experience UAC Elevated rights issues if logged over the network.

To fix the issue:

# Set LocalAccountTokenFilterPolicy to 1
$token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$token_prop_name = "LocalAccountTokenFilterPolicy"
$token_key = Get-Item -Path $token_path
$token_value = $token_key.GetValue($token_prop_name, $null)
if ($token_value -ne 1) {
    Write-Host "Setting LocalAccountTokenFilterPolicy to 1"
    if ($null -ne $token_value) {
        Remove-ItemProperty -Path $token_path -Name $token_prop_name
    }
    New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null
}

How UAC remote restrictions work

To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against loopback attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

More information at:

  • https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction
  • https://github.com/ansible/ansible/issues/42978

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.