diff --git a/dlls/advapi32/security.c b/dlls/advapi32/security.c
index c3454a87622..e4953d06eeb 100644
--- a/dlls/advapi32/security.c
+++ b/dlls/advapi32/security.c
@@ -607,6 +607,19 @@ CheckTokenMembership( HANDLE token, PSID sid_to_check,
         }
         token = thread_token;
     }
+    else
+    {
+        TOKEN_TYPE type;
+
+        ret = GetTokenInformation(token, TokenType, &type, sizeof(TOKEN_TYPE), &size);
+        if (!ret) goto exit;
+
+        if (type == TokenPrimary)
+        {
+            SetLastError(ERROR_NO_IMPERSONATION_TOKEN);
+            return FALSE;
+        }
+    }
 
     ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
     if (!ret && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 6a9a1d2c4f3..931f912ec34 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -3637,21 +3637,23 @@ static void test_CheckTokenMembership(void)
         return;
     }
 
+    is_member = FALSE;
     ret = pCheckTokenMembership(token, token_groups->Groups[i].Sid, &is_member);
     ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
     ok(is_member, "CheckTokenMembership should have detected sid as member\n");
 
+    is_member = FALSE;
     ret = pCheckTokenMembership(NULL, token_groups->Groups[i].Sid, &is_member);
     ok(ret, "CheckTokenMembership failed with error %d\n", GetLastError());
     ok(is_member, "CheckTokenMembership should have detected sid as member\n");
 
+    is_member = TRUE;
+    SetLastError(0xdeadbeef);
     ret = pCheckTokenMembership(process_token, token_groups->Groups[i].Sid, &is_member);
-todo_wine {
     ok(!ret && GetLastError() == ERROR_NO_IMPERSONATION_TOKEN,
         "CheckTokenMembership with process token %s with error %d\n",
         ret ? "succeeded" : "failed", GetLastError());
     ok(!is_member, "CheckTokenMembership should have cleared is_member\n");
-}
 
     HeapFree(GetProcessHeap(), 0, token_groups);
     CloseHandle(token);