Finally LAPS for Azure AD (Public Preview)
Requirements
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 20H2, 21H2, 22H2 – April 11 2023 Update
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
Supports Azure AD joined or Hybrid Azure AD joined devices.
Enable LAPS in Azure
Go to portal.azure.com
Select: Devices – Device Settings
Configure LAPS policy in Intune
Go to intune.microsoft.com
Select: Endpoint security – Account protection
Create a new profile and select Windows 10 and later – Local admin password solution (Windows LAPS)
Configure the settings according to your preference.
Apply it to all your devices.
Not using the built in Administrator Account?
Usually the built-in administrator account is disabled if you follow best practice. So how would we handle this with LAPS if we want to configure a new administrator account that LAPS should use.
Creating the new local administrator account using CSP policy in Intune
https://learn.microsoft.com/en-us/windows/client-management/mdm/accounts-csp
Go to intune.microsoft.com
Select: Devices – Windows – Configuration profiles
Create a new profile
Select: Windows 10 and later – Templates – Custom
1st OMA-URI that needs to be added to our custom policy.
OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/MyLocalAccount/Password
Replace “MyLocalAccount” with the name of the local admin account you want to have.
Data type: String
Value: “RandomPassword” (This will be managed by LAPS later on)
2nd OMA-URI that we need to add to the policy.
This adds the account we created to the local administrator group.
OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/MyLocalAccount/LocalUserGroup
Replace “MyLocalAccount” with the name of the local admin account you want to have.
Data type: Integer
Value: 2
Assign it to all devices.
IMPORTANT, the Account CSP only supports Add and not GET, this will result in Intune policy displaying and Error on the policy, however it will create the local administrator account.
Supported operation is Add. GET operation isn’t supported. This setting will report as failed when deployed from Intune.
https://learn.microsoft.com/en-us/windows/client-management/mdm/accounts-csp
If you don’t want to see the policy error, then you can use PowerShell to create the local administrator account.
Be sure to update your LAPS Account Protection policy to use the local administrator account you created.
How to get the LAPS password from Azure?
Go to intune.microsoft.com
Select: Devices – Windows
Select the device you want to get the LAPS password from, under the Monitor menu you will now find “Local admin password“
Click on the “Local admin password” and you now have the option to display the local administrator password and view last password rotation etc.
