As using workgroup machines in Standard Environment is a borderline scenario, there are some issues and stuff to care about, like the careful usage of shadow accounts or the right management of Remote UAC.
In certain scenarios, having Remote UAC enabled may lead to wrong or misleading behaviors, as basically it doesn’t leases a admin token but (correctly, from a security perspective) just a limited one.
For example, the automated installation of the test agent inside a workgroup machine from another workgroup machine running MTM would fail, as this is a scenario where authentication and authorization (two different concept as we know). To workaround this and other cases, the solution is pretty simple. The only need is to set the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy key to 1.
This procedure is totally supported, as it’s stated inside this MSDN page on Test Controller configuration.