Windows Server 2025 WinRM Remote PowerShell Access Denied Using Local Administrator Account Despite TrustedHosts and LocalAccountTokenFilterPolicy Configuration

Question

Hello Team,

We are experiencing an issue establishing a remote PowerShell session via WinRM from one Windows server to a Windows Server 2025 target using the target server's local Administrator account.

Environment

• Source Server: SERVER-A
• Target Server: SERVER-B
• Target OS: Windows Server 2025
• Authentication: Local Administrator account on the target server
• Connection Method: PowerShell Remoting (Enter-PSSession) over WinRM (HTTP/5985)

Issue

We are attempting to establish an interactive PowerShell session to the target server:

Enter-PSSession -ComputerName SERVER-B -Credential <LocalAdminCredential>

The connection consistently fails with "Access is denied" even though the supplied credentials are confirmed to be correct.

Troubleshooting Performed

1. Verified WinRM is configured and running on both systems.
2. Successfully configured TrustedHosts on the source server.
3. Restarted the WinRM service after TrustedHosts changes.
4. Verified network connectivity between source and target servers.
5. Verified Windows Firewall allows WinRM traffic.
6. Changed the network profile from Public to Private on the target server.
7. Configured the following registry value on the target server:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LocalAccountTokenFilterPolicy = 1

1. Tested multiple username formats:

• Administrator
• .\Administrator
• localhost\Administrator
  • SERVER-B\Administrator
  1. Reviewed Security Event Logs on the target server.

Observed Behavior

• Authentication appears to reach the target server.
• Security logs indicate the credentials are being processed.
• The remote session never starts and PowerShell remoting returns "Access is denied."
• We are trying to determine whether this behavior is related to:
  • Windows Server 2025 security hardening changes
    • Credential Guard
      • UAC Remote Restrictions
        • Local account restrictions for WinRM
          • Any known Windows Server 2025 WinRM authentication issue

Questions

1. Are there any known Windows Server 2025 changes that restrict WinRM access using local administrator accounts?
2. Has anyone successfully used PowerShell Remoting with a local administrator account on Windows Server 2025?
3. Are there additional policies, security settings, or Credential Guard configurations that should be reviewed?
4. Is this behavior expected by design or potentially a product issue?

Any guidance would be greatly appreciated.Hello Team,

We are experiencing an issue establishing a remote PowerShell session via WinRM from one Windows server to a Windows Server 2025 target using the target server's local Administrator account.

Answer 1

Hi Achyutha Rao Sathvick

Thanks for all the details so clearly that helps a ton. So, the short version is: what you’re hitting is actually expected behavior in newer builds of Windows Server, including 2025. Microsoft has tightened up remote access with local accounts over WinRM for security reasons. Even if you’ve got the right password, local Administrator accounts are often blocked from remote PowerShell sessions unless you explicitly tweak policies. That “Access is denied” is basically UAC remote restrictions kicking in.

A couple of things worth trying:

• Use a domain account instead of local admin if you’ve got Active Directory in play that’s the cleanest way.
• If you’re stuck with local accounts, double‑check that LocalAccountTokenFilterPolicy is set to 1 (you’ve done that, good), but also confirm that the account is in the Remote Management Users group on SERVER‑B.
• Another workaround is enabling CredSSP authentication, though it’s not always recommended for production because of delegation risks.
• Finally, if you want to keep using local admin, you may need to adjust UAC remote restrictions via Group Policy or registry, but again weigh the security trade‑offs carefully.

From what I’ve seen, this isn’t a bug in Server 2025, it’s more of a “by design” hardening change. Microsoft is pushing folks toward domain accounts or managed identities instead of local admin remoting. If you want to validate, you can spin up a quick test VM with a domain join and you’ll see the remoting works fine.

Hope that clears things up. If this explanation helps you move forward, please go ahead and hit **“**Accept Answer” so we know it solved your issue. If you need more information, feel free to leave a message. We are happy to help!

Answer 2

This behavior matches standard WinRM/PowerShell remoting restrictions for local accounts rather than a documented Windows Server 2025–specific change.

Key points from the available guidance:

1. Local administrator must have permission on the remoting endpoint
   By default, only members of the local Administrators group can use the default PowerShell remoting endpoints. If "Access is denied" is returned, verify that the local Administrator account actually has execute permission on the Microsoft.PowerShell (and Microsoft.PowerShell32, if applicable) session configurations:

      # On SERVER-B (target)
      Set-PSSessionConfiguration Microsoft.PowerShell -ShowSecurityDescriptorUI
   

   Ensure the local Administrators group (and/or the specific local Administrator account) has Execute permission.
2. LocalAccountTokenFilterPolicy and UAC remote restrictions
   For local accounts, UAC remote restrictions can cause remote connections to run with a filtered (non‑admin) token, which results in "Access is denied" even when the credentials are correct. The documented way to disable this behavior is the LocalAccountTokenFilterPolicy registry value:

      $newItemPropertySplat = @{
        Name = 'LocalAccountTokenFilterPolicy'
        Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
        PropertyType = 'DWord'
        Value = 1
      }
      New-ItemProperty @newItemPropertySplat
   

   This setting disables UAC remote restrictions for all users on the affected computer, so it is a security trade‑off and should be evaluated carefully. After setting it, restart the target or at least the WinRM service.
3. Using explicit credentials for local admin
   When connecting, always supply explicit credentials for the local Administrator account and ensure they are used by the remoting cmdlets:

      $cred = Get-Credential  # enter SERVER-B\Administrator and the local password
      Enter-PSSession -ComputerName SERVER-B -Credential $cred
   

   The remoting documentation explicitly notes that alternate credentials must be supplied when needed and that the account must be in Administrators on the target.
4. TrustedHosts and non‑domain scenarios
   In non‑domain or non‑Kerberos scenarios (such as using local accounts, IP addresses, or workgroup‑like conditions), WinRM requires either HTTPS or that the target be added to TrustedHosts, and that credentials be supplied. The documented behavior is:
   • Add the target to TrustedHosts on the client (SERVER-A).
   • Use the -Credential parameter for Enter-PSSession, New-PSSession, or Invoke-Command.
5. IP address vs. hostname
   If an IP address is used instead of a hostname, Kerberos cannot be used and NTLM is used instead. In that case, the requirements are:
   • IP must be in TrustedHosts.
   • Credentials must be supplied on every remote command.
6. No documented Windows Server 2025‑specific WinRM local admin change in the provided material
   The provided documentation describes:
   • WinRM treating Entra‑only or workgroup‑like machines specially (TrustedHosts, SPN prefix changes).
   • UAC remote restrictions and LocalAccountTokenFilterPolicy for administrators in other domains or local accounts.
   • SPN‑related WinRM failures and how to adjust SPNs or SPN prefixes. None of these explicitly call out a new Windows Server 2025‑only restriction on local administrator WinRM access. The behavior described aligns with existing, documented UAC and WinRM constraints.

Based on the available documentation, the expected and supported configuration for using a local Administrator account over WinRM is:

1. On the target (SERVER-B):
   • Ensure the account is in the local Administrators group.
   • Optionally set LocalAccountTokenFilterPolicy = 1 if full admin token is required remotely, understanding the security implications.
   • Confirm the Microsoft.PowerShell session configuration allows Administrators execute access.
2. On the source (SERVER-A):
   • Add SERVER-B (or its FQDN/IP) to TrustedHosts.
   • Use Enter-PSSession/New-PSSession/Invoke-Command with -Credential SERVER-B\Administrator.

If these conditions are met and "Access is denied" persists, this would be beyond what is covered in the referenced documentation and would warrant further investigation with support, but the documents provided do not describe a Windows Server 2025‑specific product issue.

---

References:

• about_Remote_Troubleshooting
• Deploy Storage Spaces Direct on Windows Server
• Troubleshoot Windows Admin Center
• Can't establish a PowerShell remote session using WinRM between Microsoft Entra-only joined machines
• Error 0x80090322 when you connect PowerShell to a remote server via WinRM
• Windows Admin Center known issues