diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f8fff7c70..b3f6319b7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -39,7 +39,7 @@ jobs:
             pack_bin: pack.exe
           - config: windows-wcow
             os: windows
-            runner: [self-hosted, windows, wcow]
+            runner: [windows-2019]
             no_docker: "false"
             pack_bin: pack.exe
     runs-on: ${{ matrix.runner }}
@@ -89,6 +89,36 @@ jobs:
         shell: powershell
       - name: Verify
         run: make verify
+      - name: Register runner IP
+        if: matrix.config == 'windows-wcow'
+        shell: powershell
+        run: |
+          # Get IP from default gateway interface
+          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
+
+          # Allow container-to-host registry traffic (from public interface, to the same interface)
+          New-NetfirewallRule -DisplayName test-registry -LocalAddress $IPAddress -RemoteAddress $IPAddress
+
+          # create or update daemon config to allow host as insecure-registry
+          $config=@{}
+          if (Test-Path C:\ProgramData\docker\config\daemon.json) {
+            $config=(Get-Content C:\ProgramData\docker\config\daemon.json | ConvertFrom-json)
+          }
+          $config."insecure-registries" = @("$IPAddress/32")
+          ConvertTo-json $config | Out-File -Encoding ASCII C:\ProgramData\docker\config\daemon.json
+
+          Restart-Service docker
+
+          # dump docker info for auditing
+          docker version
+          docker info
+
+          # Modify etc\hosts to include runner IP
+          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
+          "# Modified by CNB: https://github.com/buildpacks/ci/tree/main/gh-runners/windows
+          ${IPAddress} host.docker.internal
+          ${IPAddress} gateway.docker.internal
+          " | Out-File -Filepath C:\Windows\System32\drivers\etc\hosts -Encoding utf8
       - name: Test
         env:
           TEST_COVERAGE: 1
diff --git a/internal/sshdialer/ssh_dialer_test.go b/internal/sshdialer/ssh_dialer_test.go
index 654f12266..209a4d49b 100644
--- a/internal/sshdialer/ssh_dialer_test.go
+++ b/internal/sshdialer/ssh_dialer_test.go
@@ -920,17 +920,9 @@ func (b badAgent) Signers() ([]ssh.Signer, error) {
 func withFixedUpSSHCLI(t *testing.T) func() {
 	t.Helper()
 
-	which := "which"
-	if runtime.GOOS == "windows" {
-		which = "where"
-	}
-
-	out, err := exec.Command(which, "ssh").CombinedOutput()
+	sshAbsPath, err := exec.LookPath("ssh")
 	th.AssertNil(t, err)
 
-	sshAbsPath := string(out)
-	sshAbsPath = strings.Trim(sshAbsPath, "\r\n")
-
 	sshScript := `#!/bin/sh
 SSH_BIN -o PasswordAuthentication=no -o ConnectTimeout=3 -o UserKnownHostsFile="$HOME/.ssh/known_hosts" $@
 `
diff --git a/internal/sshdialer/windows_test.go b/internal/sshdialer/windows_test.go
index 304549d96..4909d0d01 100644
--- a/internal/sshdialer/windows_test.go
+++ b/internal/sshdialer/windows_test.go
@@ -22,7 +22,7 @@ func fixupPrivateKeyMod(path string) {
 	err = acl.Apply(path,
 		true,
 		false,
-		acl.GrantName(((mode&0700)<<23)|((mode&0200)<<9), usr.Name))
+		acl.GrantName(((mode&0700)<<23)|((mode&0200)<<9), usr.Username))
 
 	// See https://github.com/hectane/go-acl/issues/1
 	if err != nil && err.Error() != "The operation completed successfully." {