diff --git a/modules/BOSH.Agent/BOSH.Agent.Tests.ps1 b/modules/BOSH.Agent/BOSH.Agent.Tests.ps1
index 9833fb384..52116b1e6 100644
--- a/modules/BOSH.Agent/BOSH.Agent.Tests.ps1
+++ b/modules/BOSH.Agent/BOSH.Agent.Tests.ps1
@@ -276,6 +276,32 @@ Describe "BOSH.Account" {
     }
 
     Describe "Install-Agent" {
+        BeforeEach {
+            Mock -ModuleName BOSH.Agent Copy-Agent { }
+            Mock -ModuleName BOSH.Agent Write-AgentConfig { }
+            Mock -ModuleName BOSH.Agent Set-Path { }
+            Mock -ModuleName BOSH.Agent Protect-Dir { }
+            Mock -ModuleName BOSH.Utils Protect-Dir { }
+            Mock -ModuleName BOSH.Agent Install-AgentService { }
+        }
+
+        It "calls Protect-Dir on C:\bosh only after Install-AgentService has run" {
+            $script:agentServiceRan = $false
+            $script:agentServiceRanFirst = $false
+            Mock -ModuleName BOSH.Agent Install-AgentService {
+                $script:agentServiceRan = $true
+            }
+            Mock -ModuleName BOSH.Agent Protect-Dir {
+                if ($Path -eq "C:\bosh") {
+                    $script:agentServiceRanFirst = $script:agentServiceRan -eq $true
+                }
+            }
+
+            Install-Agent -IaaS "aws" -agentZipPath "some-zip"
+
+            $script:agentServiceRanFirst | Should -Be $true
+        }
+
         Context "when IaaS is not provided" {
             It "throws" {
                 { Install-Agent -agentZipPath "some-agent-zip-path" } | Should -Throw "Provide the IaaS of your VM"
diff --git a/modules/BOSH.Agent/BOSH.Agent.psm1 b/modules/BOSH.Agent/BOSH.Agent.psm1
index ba85fa2f9..200e1197e 100644
--- a/modules/BOSH.Agent/BOSH.Agent.psm1
+++ b/modules/BOSH.Agent/BOSH.Agent.psm1
@@ -21,11 +21,16 @@ function Install-Agent
     Write-Log "Install-Agent: Started"
 
     Copy-Agent -InstallDir "C:\" -agentZipPath $agentZipPath
-    Protect-Dir -Path "C:\bosh"
-    Protect-Dir -Path "C:\var"
     Write-AgentConfig -BoshDir "C:\bosh" -IaaS $IaaS -EnableEphemeralDiskMounting $EnableEphemeralDiskMounting
     Set-Path "C:\var\vcap\bosh\bin"
+    # Install-AgentService runs service_wrapper.exe as a child process. The WinRM
+    # provisioning session spawns child processes with a UAC-filtered token where
+    # BUILTIN\Administrators is disabled, so the child cannot execute files from a
+    # SYSTEM+Administrators-only directory. Both Protect-Dir calls must come AFTER
+    # this step to ensure service_wrapper.exe can be launched.
     Install-AgentService
+    Protect-Dir -Path "C:\bosh"
+    Protect-Dir -Path "C:\var"
     Protect-Dir -Path "C:\Windows\Panther" -disableInheritance $False
     Write-Log "Install-Agent: Finished"
 }