cancel
Showing results for 
Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 8

Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

so in a lab setting I have Microsoft Server 2019 with SQL 2019 on it and ePO 5.10.0 in a Workgroup not on a domain.

I can map drives from my Windows 10 Enterprise build 1909 to the server in other words \\server\admin$ works fine but I am unable to map to \\workstation1\admin$ from the server or any of the other workstations

Networking as I come to understand has turned to hell in Windows 10 so am I out of luck?

I can go around and deploy the agents from a package or use a URL and they will install fine on all the test workstations and report back to the ePO console fine as managed agents, but that defeats the purpose of my testing/exercise which is to remotely deploy agents followed by VirusScan followed by HIPS etc.

Anybody ever deployed ePO agents to Windows 10 in a Workgroup?

The error is simply, Access denied and I know I am entering the proper creds cause I can map to a test directory / share that I created manually, it's just that I can't map to the hidden administrative shares like C$ or Admin$

I did search for answers first but they did not seem related.  Sorry if I missed the answer.

1 Solution

Accepted Solutions
Highlighted
Level 10
Report Inappropriate Content
Message 7 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

FOUND THE SOLUTION 

Yes I was shouting, my God so many hours / days wasted on this

I will cut and paste the reason and steps here in case the article goes missing:

 

First, in domain environments, the administrative Windows 10 shares work as they always have. You simply provide a domain user account with permission to connect to the remote machine and it works. However, an issue arises when you have two Windows 10 computers in a workgroup. While in a workgroup, when you attempt to connect to an administrative share on a Windows 10 computer you will be prompted for a username and password as expected but you will receive a misleading Access Denied error message.

This is related to User Account Control (UAC) and requires a registry modification in order to work properly. By default, UAC remotely restricts these shares from being accessed. In order to successfully connect to an administrative share, you'll need to disable this feature. To do this, you'll need to create (or modify) a registry DWORD value called LocalAccountTokenFilterPolicy and set it to a value of 1. 

Once in the registry editor, drill down to the path 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 

Then, right click on the System, click on New and then choose DWORD (32-bit) Value.

From here, you are given the option to name the new registry value. Give it a name of exactly LocalAccountTokenFilterPolicy and hit Enter.

Once you've created the registry key, it will have a value of 0; this needs to be a 1. To change it to a 1, double click on the registry value and put a 1 in for Value data.

 

Using Windows 10 Administrative Shares

https://www.businessnewsdaily.com/11017-windows-10-administrative-shares.html

 

 

 

View solution in original post

7 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

The only way you can map to a non-domain system is if you are using a local administrator account, and that would be different for each system (even if same username and password) because it is local to that system only.  If you are mapping a drive in windows, you would have to use other account as computername\username, but there are other things that also must be enabled.  Check kb56386 for what environmental requirements might be needed (file/print sharing, etc.)

If you are deploying agents, then in the credentials field you would put a period ( . ) for the domain name only to indicate use local system account, then username in user field.

Networking hasn't changed in windows 10, but some things may be disabled by default in a workgroup, such as file and print sharing, which is enabled on a domain.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 10
Report Inappropriate Content
Message 3 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

Thank you for your reply, please don't think I am being argumentative below, I just need to share more to see if we can help others in the future.

I don't think  any components are missing since I am able to map to any other share I create except for the administrative shares of C$ and or Admin$

I was aware of the (.) trick in ePO and was using it, but that's further down the line, I need to get the drive mapping first.

It is widely known that something indeed has changed in Windows 10, there are numerous articles, write ups, forum posts on it.

I will build an Active Directory domain today and add these workstations to it and test if drive mapping will resolve itself without adding any Windows features and or starting any other Services, I will provide feedback once I test it.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

Ok thanks!  I don't take it as being argumentative - we welcome all constructive dialogues to help resolve an issue.  🙂

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 10
Report Inappropriate Content
Message 5 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

a bit more of troubleshooting information

this morning on a brand new Windows 10 Enterprise 1909 build I decided to map the administrative shares to itself so on a workstation called Optiplex I simply mapped two drives successfuly:

\\Optiplex\C$

\\Optiplex\Admin$

I did this by enabling the default local Administrator account and setting a password on it.

Now some of you may question my logic, but this is actually a valid test, it proves the shares exist (which of course I already confirmed using Computer Management) but now we know they map locally.

baby steps folks, baby steps, ha ha

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

Good test.  Does it also succeed if you create new account or use other account and give it local admin rights?

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 10
Report Inappropriate Content
Message 7 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

FOUND THE SOLUTION 

Yes I was shouting, my God so many hours / days wasted on this

I will cut and paste the reason and steps here in case the article goes missing:

 

First, in domain environments, the administrative Windows 10 shares work as they always have. You simply provide a domain user account with permission to connect to the remote machine and it works. However, an issue arises when you have two Windows 10 computers in a workgroup. While in a workgroup, when you attempt to connect to an administrative share on a Windows 10 computer you will be prompted for a username and password as expected but you will receive a misleading Access Denied error message.

This is related to User Account Control (UAC) and requires a registry modification in order to work properly. By default, UAC remotely restricts these shares from being accessed. In order to successfully connect to an administrative share, you'll need to disable this feature. To do this, you'll need to create (or modify) a registry DWORD value called LocalAccountTokenFilterPolicy and set it to a value of 1. 

Once in the registry editor, drill down to the path 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 

Then, right click on the System, click on New and then choose DWORD (32-bit) Value.

From here, you are given the option to name the new registry value. Give it a name of exactly LocalAccountTokenFilterPolicy and hit Enter.

Once you've created the registry key, it will have a value of 0; this needs to be a 1. To change it to a 1, double click on the registry value and put a 1 in for Value data.

 

Using Windows 10 Administrative Shares

https://www.businessnewsdaily.com/11017-windows-10-administrative-shares.html

 

 

 

View solution in original post

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: Unable to deploy agents in Workgroup Windows 10 Enterprise Build 1909 can't map to Admin$

Jump to solution

Nice, thanks!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community