Access denied when pushing to non-domain-joined machine

I followed this article, and was already doing what it said.  I'm trying to push packages to non-domain machines and getting access denied even though I'm using the only account that's on the machine (and which is an admin on the box).  When testing the credentials, it passes.  The firewall is off.  Currently just testing with pushing Google Chrome on a fresh W10.20H2 box.  



Date Votes
  • When you deploy the package, there is a dropdown in the options to change credentials. This will show your default credentials but will maintain the previous credential selected. Make sure that the local admin credential is selected. If you have PDQ Inventory, you can check the box to use scan credentials if they are available as well and see if that works.

  • Have this issue as well. Per PDQ's documentaion:

    * Remote administrative access is denied to local accounts when a Windows Vista (or later OS) is NOT a member of a Windows 2003 or later domain.


    If the target computer is not a member of a Windows 2003 or later Active Directory domain, the most likely cause is that the target computer has Remote UAC enabled. Remote UAC prevents local administrative accounts (including LAPS accounts) from accessing ADMIN$ by preventing local admin accounts from running in an elevated mode from a network connection. To access ADMIN$ using a local account or a LAPS account, Remote UAC will need to be disabled. This in no way impacts regular GUI-based (userland) UAC.

    To disable Remote UAC, an entry will need to be made in the registry of the affected target computer:

    Navigate to,


    Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.

    A reboot is recommended but not required, however, restarting the Server service is necessary.

    All From: Can't access ADMIN$ share using a local user or LAPS account – Support (


Please sign in to leave a comment.

Didn't find what you were looking for?

New post