WAC over WinRM HTTPS for non-domain-joined Devices

When configuring Windows Admin Center to use WinRM over HTTPS, it's not possible to add non-domain-joined devices (such as Windows Server 2025) if UAC remote restrictions are enabled on the target machine. Adding a device using a local account with administrator permissions fails with the error "Credentials needed - Access was denied". The self-signed certificate of the remote machine is present in the trusted root store and remote PowerShell over WinRM HTTPS is also working but the only workaround is to disable remote UAC entirely which brings a security risk.

GPO

Computer Configuration -> Administrative Templates -> MS Security Guide -> Apply UAC restrictions to local accounts on network logons

Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = 1

Is there a way to overcome this ?