When configuring self-hosted Azure DevOps agents on Windows, one often-overlooked setting can significantly improve security and resource access control: the SERVICE_SID_TYPE_UNRESTRICTED.
I first learned about this when configuring a new build agent on our build server. While going through the configuration steps, I got an extra question if I wanted to enable the SERVICE_SID_TYPE_UNRESTRICTED for the agent service. As I had no clue what this option means, I decided to dive in and write a blog post about it.
What is SERVICE_SID_TYPE_UNRESTRICTED?
Windows services can be assigned a Service SID (Security Identifier) to help manage access to resources. By default, Azure DevOps agents run with SERVICE_SID_TYPE_NONE, which means no service-specific SID is added to the process token.
Setting the SID type to UNRESTRICTED adds a unique SID like NT SERVICE\vstsagent.{tenant}.{pool}.{agent} to the agent's process token. This allows you to:
-
Grant access to local resources (e.g., folders, certificates) specifically to that agent.
-
Isolate permissions between multiple agents on the same machine.
-
Avoid managing separate user accounts or passwords for each agent.
How to enable it
During the interactive configuration of the agent (via config.cmd), you can specify this SID type:
.\config.cmd --unattended --enableservicesidtypeunrestrictedOr, if you're using the interactive prompt, it may ask whether to set the SID type to UNRESTRICTED (as you can see in the screenshot above).
Why this matters
Here’s why this setting is especially useful:
-
Security: You can restrict access to sensitive resources (like secrets or build artifacts) to only the specific agent service.
-
Scalability: Multiple agents can run under the same account but still be isolated via their unique SIDs.
-
Maintainability: Reduces the need for managing separate service accounts or passwords.
More information
Deploy an Azure Pipelines agent on Windows - Azure Pipelines | Microsoft Learn