PAM Admin has onboarded numerous new Windows boxes (Win212, Win2016 and Win2019) to be managed by a remote PAM Proxy Agent.

For every local account, he can validate the password, however every time they try to rotate a password they get the following error:

PAM-CM-1122: Proxy unable to access host. 

User Access Control settings on the target device did not allow the Windows API calls from the Windows Proxy host to succeed.

Just like the Windows Remote Connector, see documentation page Add a Windows Remote Target Connector ,

the following registry setting needs to be in place on the remote target servers so remote SMB executions are not blocked:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001

Also, local security policy "User Access Control: Run All Administrators in Admin Approval Mode" may need to be disabled.