To get connected via WMI (to deploy an update; run detectnow; use Computer Explorer), requires a *credential* to be defined in the Credential Ring that has local administrator permissions on the target system. If this is what you did (in Security and User Management -> Credential Rings), then great, but creating a *user* under Security and User Management -> User Profiles merely authorizes somebody to use the Patch Manager console and gives you the ability to customize their console experience. It will not grant any rights on target systems.
Credential Rules are evaluated in order from most specific to least specific. So, for a domain-based computer, the credential assigned to a domain rule will be used, unless an OrgRule exists and matches, or a Computer rule exists and matches. if the target system is not a domain member and Patch Manager is unable to determine the WORKGROUP of the machine, in most cases, the Default Rule will be applied (unless a Computer rule exists). For a WORKGROUP-based computer, you'll need to [a] have a common account/password used across all systems, and  create a WORKGROUP credential rule, and  be sure to specify the WORKGROUP field on the Computer Selection dialogs when creating a task ... -OR- create individual Computer rules with the appropriate credential(s), which can be matched by computer name only.
In addition, only one Credential Ring is active at a time for a console user. The mapping between LogonUser and CredentialRing is done in the profile. If no profile exists for the console user, the Default User profile is used, which maps to the Default Ring credential ring. (This mapping should NOT be changed!) Both DOMAIN and WORKGROUP-based credentials can coexist in the same Credential Ring.