{"id":1464,"date":"2014-04-16T12:16:43","date_gmt":"2014-04-16T16:16:43","guid":{"rendered":"http:\/\/batchpatch.com\/?p=1464"},"modified":"2022-06-21T16:40:11","modified_gmt":"2022-06-21T20:40:11","slug":"batchpatch-authentication-in-domain-and-workgroup-non-domain-environments","status":"publish","type":"post","link":"https:\/\/batchpatch.com\/batchpatch-authentication-in-domain-and-workgroup-non-domain-environments","title":{"rendered":"BatchPatch Authentication in Domain and Workgroup (non-domain) Environments"},"content":{"rendered":"<p>When we set out to create BatchPatch, one of our primary concerns was to ensure that the software would be as easy to use as possible.  We believe we were successful in that endeavor.  However, since every network environment is unique, there are a few things that need to be understood about the BatchPatch authentication process in order to maximize your odds of smooth patching.  In particular, the requirements to make BatchPatch work in a Windows workgroup environment are slightly different than the requirements for a domain environment.<\/p>\n<p>If you&#8217;re currently seeing the following error message or something similar, you&#8217;ve come to the right place.  Please see below for more information on resolving\/rectifying the issue:<\/p>\n\n<div class=\"wp_syntax\"><table><tr><td class=\"code\"><pre class=\"text\" style=\"font-family:monospace;\">Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))<\/pre><\/td><\/tr><\/table><\/div>\n\n<h2 class=\"brownishOrange\">BatchPatch Runner Account Must Be A Member Of The Local Administrators Group On All Target Computers<\/h2>\n<p>One of the most common use cases of BatchPatch is to remotely trigger the download and\/or installation of Windows Updates on a network of computers.  In order to do this, the account that you use to initiate the BatchPatch process must have local administrator privileges on the the target computers.  To add a user to the local administrators group on a group of computers you must either log on to each computer individually to add the account, or you may use Group Policy (recommended) to apply the appropriate group membership to all computers at the same time.<br \/>\n<a href=\"http:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/LocalAdministratorsGroup.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/LocalAdministratorsGroup-300x185.png\" alt=\"LocalAdministratorsGroup\" width=\"300\" height=\"185\" class=\"aligncenter size-medium wp-image-1480\" srcset=\"https:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/LocalAdministratorsGroup-300x185.png 300w, https:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/LocalAdministratorsGroup.png 779w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><br \/>\nYou have <strong>three options for executing BatchPatch actions under the security context of the selected user account<\/strong>.  Any of these options will work, but we recommend option number 1.  Use option 1 unless you have a strong reason not to.  If option 1 isn&#8217;t viable in your environment, use option 2.  If option 2 also isn&#8217;t viable or convenient in your environment, then use option 3.  <\/p>\n<ul>\n<h3 class=\"brownishOrange\"><strong><em>Option 1:<\/em><\/strong><\/h3>\n<li><strong>Recommended Method:<\/strong>  Log on to the computer that you will use to run BatchPatch with the user account that you have added to the local administrators group on the target computers<\/li>\n<h3 class=\"brownishOrange\"><strong><em>Option 2:<\/em><\/strong><\/h3>\n<li>Launch BatchPatch using right-click run-as to run BatchPatch with the user account that you added to the local administrators group on the target computers.  This method can be used in cases where you are not logged on to Windows with the user account that you have setup to use with BatchPatch.<\/li>\n<h3 class=\"brownishOrange\"><strong><em>Option 3:<\/em><\/strong><\/h3>\n<li>Launch BatchPatch with any account, and then inside of BatchPatch enter &#8216;alternate credentials&#8217; for each of the hosts that you add to the BatchPatch grid.  The &#8216;alternate credentials&#8217; that you specify will, of course, be the user account that you previously added to the local administrators group on the target computers.<\/li>\n<p><a href=\"http:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/BatchPatchAlternateCredentials.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/BatchPatchAlternateCredentials-300x188.png\" alt=\"BatchPatchAlternateCredentials\" width=\"300\" height=\"188\" class=\"aligncenter size-medium wp-image-1482\" srcset=\"https:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/BatchPatchAlternateCredentials-300x188.png 300w, https:\/\/batchpatch.com\/wp-content\/uploads\/2014\/04\/BatchPatchAlternateCredentials.png 663w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a>\n<\/ul>\n<p><!--LINE SEPARATOR--><\/p>\n<hr style=\"border-top: 1px solid white; border-bottom: 1px solid gray; width:100%;\"<\/hr>\n<p><!--LINE SEPARATOR--><\/p>\n<h2 class=\"brownishOrange\">\n<ul>Additional BatchPatch Authentication Details:<\/ul>\n<\/h2>\n<p><strong>IMPORTANT:<\/strong> In the sections below that describe how to use local accounts for authentication, we highlight registry entries\/changes that you might need to make in your environment if you desire to use local accounts for authentication.  These registry modifications come with their own security implications.  You can read more about those registry values and remote UAC filtering here: <\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/wmisdk\/user-account-control-and-wmi\" title=\"User Account Control and WMI\" rel=\"noopener noreferrer\" target=\"_blank\">User Account Control and WMI<\/a><br \/>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/troubleshoot\/windows-server\/windows-security\/user-account-control-and-remote-restriction\" title=\"Description of User Account Control and remote restrictions\" rel=\"noopener noreferrer\" target=\"_blank\">Description of User Account Control and remote restrictions<\/a><br \/>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/user-account-control\/user-account-control-group-policy-and-registry-key-settings\" title=\"User Account Control Group Policy and registry key settings\" rel=\"noopener noreferrer\" target=\"_blank\">User Account Control Group Policy and registry key settings<\/a><\/p>\n<p><!--LINE SEPARATOR--><\/p>\n<hr style=\"border-top: 1px solid white; border-bottom: 1px solid gray; width:100%;\"<\/hr>\n<p><!--LINE SEPARATOR--><\/p>\n<p><strong>Using Integrated Security with a Domain Account:<\/strong><\/p>\n<ol>\n<li>\nThe domain account that you use to launch BatchPatch must be a member of the local administrators group on the target computer.\n<\/li>\n<\/ol>\n<p><!--LINE SEPARATOR--><\/p>\n<hr style=\"width:100%;\"<\/hr>\n<p><!--LINE SEPARATOR--><br \/>\n<strong>Using Integrated Security with a Local Account:<\/strong><\/p>\n<ol>\n<li>\nThe local account that you use to launch BatchPatch must also exist on the target computers, defined with the exact same username and password that is defined on the computer running BatchPatch.\n<\/li>\n<p><\/p>\n<li>\nIf the local account you are using to run BatchPatch is THE built-in administrator account on the target computers, the following registry DWORD must be set to 0 on the target computers. If the DWORD does not exist, then you must create it. When this DWORD is set to 0, the built-in administrator account is set to full-token mode, and BatchPatch will work properly. However, if it&#8217;s set to 1, the built-in administrator account is put in admin-approval mode, which will prevent most BatchPatch actions from completing successfully for those target computers:<br \/>\n<\/p>\n\n<div class=\"wp_syntax\"><table><tr><td class=\"code\"><pre class=\"text\" style=\"font-family:monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system\\FilterAdministratorToken<\/pre><\/td><\/tr><\/table><\/div>\n\n<\/li>\n<p><em>(Only required for Vista\/7\/8\/10\/2008\/2008R2\/2012\/2012R2\/2016\/2019 targets.  NOT required for XP\/2003 targets)<\/em><br \/>\n<\/p>\n<li>If the local account you are using to run BatchPatch is not THE built-in administrator account on the target computers, but instead is just a regular named local account that is a member of the local administrators group on the target computers, then the following registry DWORD must be set to 1 on the target computers.  If the DWORD does not exist, then you must create it:<br \/>\n<\/p>\n\n<div class=\"wp_syntax\"><table><tr><td class=\"code\"><pre class=\"text\" style=\"font-family:monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system\\LocalAccountTokenFilterPolicy<\/pre><\/td><\/tr><\/table><\/div>\n\n<p><em>(Only required for Vista\/7\/8\/10\/2008\/2008R2\/2012\/2012R2\/2016\/2019 targets.  NOT required for XP\/2003 targets)<\/em>\n<\/li>\n<\/ol>\n<p><!--LINE SEPARATOR--><\/p>\n<hr style=\"width:100%;\"<\/hr>\n<p><!--LINE SEPARATOR--><br \/>\n<strong>Using Alternate Credentials with a Domain Account:<\/strong><\/p>\n<ol>\n<li>\nThe account that you specify must be a member of the local administrators group on the target computers.\n<\/li>\n<\/ol>\n<p><!--LINE SEPARATOR--><\/p>\n<hr style=\"width:100%;\"<\/hr>\n<p><!--LINE SEPARATOR--><br \/>\n<strong>Using Alternate Credentials with a Local Account:<\/strong><\/p>\n<ol>\n<li>\nThe account that you specify must be a member of the local administrators group on the target computers.\n<\/li>\n<p><\/p>\n<li>\nIf the local account that you specify is THE built-in administrator account on the target computers, the following registry DWORD must be set to 0 on the target computers. If the DWORD does not exist, then you must create it. When this DWORD is set to 0, the built-in administrator account is set to full-token mode, and BatchPatch will work properly. However, if it&#8217;s set to 1, the built-in administrator account is put in admin-approval mode, which will prevent most BatchPatch actions from completing successfully for those target computers:<br \/>\n<\/p>\n\n<div class=\"wp_syntax\"><table><tr><td class=\"code\"><pre class=\"text\" style=\"font-family:monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system\\FilterAdministratorToken<\/pre><\/td><\/tr><\/table><\/div>\n\n<p><em>(Only required for Vista\/7\/8\/10\/2008\/2008R2\/2012\/2012R2\/2016\/2019 targets.  NOT required for XP\/2003 targets)<\/em><br \/>\n\n<\/li>\n<p><\/p>\n<li>\nIf the local account that you specify is not THE built-in administrator account on the target computers, but instead is just a regular named local account that is a member of the local administrators group on the target computers, then the following registry DWORD must be set to 1 on the target computers.  If the DWORD does not exist, then you must create it:<br \/>\n<\/p>\n\n<div class=\"wp_syntax\"><table><tr><td class=\"code\"><pre class=\"text\" style=\"font-family:monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system\\LocalAccountTokenFilterPolicy<\/pre><\/td><\/tr><\/table><\/div>\n\n<p><em>(Only required for Vista\/7\/8\/10\/2008\/2008R2\/2012\/2012R2\/2016\/2019 targets.  NOT required for XP\/2003 targets)<\/em>\n<\/li>\n<\/ol>\n<p><!--LINE SEPARATOR--><\/p>\n<hr style=\"width:100%;\"<\/hr>\n<p><!--LINE SEPARATOR--><br \/>\n<strong>Further Troubleshooting:<\/strong><\/p>\n<ul>\n<li>\nThere is a bug that Microsoft acknowledged that exists only in Windows 10 version 1803 where if your BatchPatch computer is running this specific OS version, you may experience &#8216;Access Denied&#8217; when using alternate credentials with a local account to connect to target computers of any OS, even if you have properly created the registry values as described in the previous section above.  At the time of this writing the issue exists only when the BatchPatch computer is running Windows 10 version 1803.  All earlier and later versions of Windows do *not* exhibit this issue.<\/li>\n<p><\/p>\n<li>Another issue exists where if your BatchPatch computer is at a patch level earlier than August\/September\/October 2021 (specific month is dependent on the particular version of Windows you are running), but your target computers are at a patch level of June 2022 or newer, then even if you are doing everything else properly according to the instructions provided in the document above, you would still see &#8216;Access is denied&#8217; in BatchPatch.  Please see <a href=\"\/access-is-denied-in-batchpatch-after-installing-the-june-2022-cumulative-windows-update\" title=\"\u2018Access is denied\u2019 in BatchPatch After Installing the June 2022 Cumulative Windows Update\">this posting<\/a> for a full explanation and resolution.<\/li>\n<p><\/p>\n<li>\nIf you continue to have problems with &#8216;Access Denied&#8217; I would suggest that you look at Microsoft&#8217;s more in-depth <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/aa394603%28v=vs.85%29.aspx?f=255&#038;MSPPError=-2147217396\" target=\"_blank\" rel=\"noopener noreferrer\">WMI Troubleshooting article<\/a>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>When we set out to create BatchPatch, one of our primary concerns was to ensure that the software would be as easy to use as possible. We believe we were successful in that endeavor. However, since every network environment is unique, there are a few things that need to be understood about the BatchPatch authentication [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,17,3],"tags":[44,43],"class_list":["post-1464","post","type-post","status-publish","format-standard","hentry","category-blog","category-general","category-tutorials","tag-alternate-credentials","tag-authentication"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/posts\/1464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/comments?post=1464"}],"version-history":[{"count":34,"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/posts\/1464\/revisions"}],"predecessor-version":[{"id":5919,"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/posts\/1464\/revisions\/5919"}],"wp:attachment":[{"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/media?parent=1464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/categories?post=1464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/batchpatch.com\/wp-json\/wp\/v2\/tags?post=1464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}