Ansible/Packer over WinRM can experience UAC Elevated rights issues if logged over the network.
To fix the issue:
# Set LocalAccountTokenFilterPolicy to 1 $token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" $token_prop_name = "LocalAccountTokenFilterPolicy" $token_key = Get-Item -Path $token_path $token_value = $token_key.GetValue($token_prop_name, $null) if ($token_value -ne 1) { Write-Host "Setting LocalAccountTokenFilterPolicy to 1" if ($null -ne $token_value) { Remove-ItemProperty -Path $token_path -Name $token_prop_name } New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null }
How UAC remote restrictions work
To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against loopback attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.
More information at:
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction
- https://github.com/ansible/ansible/issues/42978