Fwd: Wireguard for Windows - NCO elevation

[Joey Officer]

We’re using WireGuard for Windows with LimitedOperatorUI enabled and
standard users granted to the local Network Configuration Operators
group. Intermittently, often after sleep or a restart and if a tunnel
was active, we get:
“WireGuard may only be used by users who are a member of the Builtin
Administrators group.”

Environment:
* WireGuard for Windows: 0.5.3 - master (downloaded from official site)
* Windows: both Windows 10 & 11 (Fast Startup: off - as best I can determine)
* Users in NCO: Assigned via policy from Intune
* UI startup: manual

I traced the check to TokenIsElevatedOrElevatable, which only
authorizes when the token is elevated + admin, or a linked elevated
admin token exists. This seems to preclude Limited-Operator use unless
the user is also an admin.

Proposed change: when LimitedOperatorUI is enabled, explicitly allow
tokens that are members of NCO (without requiring elevation)

Diagnostics (when the rejection happens):
* IsElevated(): false
* NCO SID present in TokenGroups: I believe this is true, based on the
results of whoami on Windows returning NCO membership.  I've written
(today) a debug tool to report tokens when this fails again.

Workaround that consistently helps:

As admin or with remote management software : stop  WireGuard Tunnel:
${name} service
then have the user log out/in (new access token minted). We typically
tell the user to ensure they are using user/pass versus re-entering
their PIN on login

Does the above approach align with the intended Limited-Operator
design? If so, I’m happy to clean up a proper patch + tests; if not,
where should the NCO allowance be wired in? Any guidance on the
preferred place to gate Limited-Operator UI would be appreciated.

Respectfully,
Joey