explicitly set LocalAccountTokenFilterPolicy on WinRM configure script (#45947)

1 files changed, 15 insertions, 0 deletions

diff --git a/examples/scripts/ConfigureRemotingForAnsible.ps1 b/examples/scripts/ConfigureRemotingForAnsible.ps1
index caf7d365f3..7e52a9b3e7 100644
--- a/examples/scripts/ConfigureRemotingForAnsible.ps1
+++ b/examples/scripts/ConfigureRemotingForAnsible.ps1
@@ -50,6 +50,7 @@
 # Version 1.6 - 2017-04-18
 # Version 1.7 - 2017-11-23
 # Version 1.8 - 2018-02-23
+# Version 1.9 - 2018-09-21
 
 # Support -Verbose option
 [CmdletBinding()]
@@ -293,6 +294,20 @@ Else
     Write-Verbose "PS Remoting is already enabled."
 }
 
+# Ensure LocalAccountTokenFilterPolicy is set to 1
+# https://github.com/ansible/ansible/issues/42978
+$token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+$token_prop_name = "LocalAccountTokenFilterPolicy"
+$token_key = Get-Item -Path $token_path
+$token_value = $token_key.GetValue($token_prop_name, $null)
+if ($token_value -ne 1) {
+    Write-Verbose "Setting LocalAccountTOkenFilterPolicy to 1"
+    if ($null -ne $token_value) {
+        Remove-ItemProperty -Path $token_path -Name $token_prop_name
+    }
+    New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null
+}
+
 # Make sure there is a SSL listener.
 $listeners = Get-ChildItem WSMan:\localhost\Listener
 If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"}))