How To: Push an Agent to Windows Vista or Windows 7 Workstations

Version 3

    Verified Product Versions

    Endpoint Manager 2016.x

    Problem:

    Windows Vista and Windows 7 implement security options that are enabled by default that make pushing the agent to a machine straight out of the box nearly impossible.  The security options are in addition to the Windows firewall that was introduced in Windows XP SP2, and include User Account Control (UAC) and particularly how UAC interacts with authentication from a network source.  Understanding how UAC works can allow us to determine the best method of installing the agent to devices with UAC enabled.

    Cause:

     

    User Account Control (UAC) is a new security feature in Windows Vista and Windows 7.  It allows accounts with administrative rights to be able to run under limited rights, while allowing them to elevate the rights to a higher level on an as needed basis.  The limited set of rights is not able to install the LANDesk agent.

     

    There is a number potential problem when dealing with UAC while attempting to install the LANDesk agent.  It is that when you attempt to run a task on a device with UAC enabled and that task is initiated from another machine (such as the core server attempting to run an agent install on an unmanaged client machine) the default behavior is to always authenticate the user in the limited context, rather than the administrative context.  In this scenario there is no UAC prompt to elevate credentials, so the task does not have a chance to succeed.

     

    Resolution:

     

    There are four known methods to successfully push an agent install to a Windows Vista or Windows 7 workstation.

     

    1 - Use a domain account with administrator rights to the local machine.

     

    Domain accounts do not have a limited local context on the client machines, so a domain account with administrative rights will always connect as a local administrator and will have the ability to install the agent.

     

    Note:

         This does not need to be a domain administrator, just a domain account with local administrative rights.

         This is the preferred method, because it is the only one that will not require modifying settings on each individual machine prior to pushing the agent.

         This option requires an Active Directory environment

     

    2 - Modify the registry to make network authentication attempts authenticate with the administrative rights, rather than the limited user rights.

     

    To make this change you need to create the following DWORD value in the registry, because it is not there by default:

     

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

     

    Setting the value to 1 allows local administrative accounts to authenticate over the network in the administrative context.  A setting of 0 reverts to the default behavior of only allowing local administrator accounts to connect over the network as a limited user.

     

    3 - Enable the default Administrator account and use its credentials

     

    The default Administrator account has UAC disabled by default, and will always authenticate with administrative rights, because it does not have a limited context. Note: This setting can be changed in a group policy making the default Administrator account have the same limitations as all other local Administrator accounts, so if that setting is changed then this option will no longer work.

     

    4 - Disable UAC

     

    Disabling UAC will make it so there is no limited context for any administrative account, so any account with administrative rights (whether domain or local) will function as an administrator.

    Conclusion

    Due to the newly added security feature called UAC, which is found in Windows Vista and Windows 7, it is more difficult to push the LANDesk agent to unmanaged devices.  Other than the 4 options listed above there is no known method to push a LANDesk agent to an unmanaged Windows Vista or Windows 7 workstation.