Automating and Securing Windows LAPS for Azure AD/Intune

I’m not writing a post covering Windows LAPS or how to set it up, there are many excellent articles out there which have you covered.

For this one, you can automate the setup, not only of the LAPS policy, but also creating a new local administrator on the device to use with it. It will even toggle the setting in AAD if you haven’t done so already!

The default configuration for Windows LAPS is to re-enable the default local admin (and you can also rename it), but the SID remains the same so fo extra security we will create a whole new user account.

And here is the new script. As usual you can find it on GitHub Here

Or on the PSGallery

Install-Script -Name configure-laps-intune

This script can take an account name parameter at the command line, or if one isn’t passed, it defaults to “lapsadmin”.

Whilst LAPS will handle the password moving forward, we want it to be secure from the start so it generates a random 20-digit password to be extra careful.

LAPS is then configured with these settings (the account name will match anything sent in the parameter)

LAPS Setting Screenshow
Backup to Azure AD Only
Password age 30 days
Admin account name lapsadmin
Fully complex 20 character password
Reset upon expiry

Finally, it assigns both policies to All Devices

34 thoughts on “Automating and Securing Windows LAPS for Azure AD/Intune”

  1. Hi Andrew,

    Firstly thank you for this article & script.

    Please excuse my ignorance, as I am new to this, but once it password has been randomly selected, where would I be able to find the password when I need to log in with the local admin account?

    Thank you

    Reply
    • Hi,
      If you look at the Device details in Intune there is a new menu item called “Local Admin Password”. That will display the password for you.
      You can also access it through Azure AD Devices as well if you would prefer

      Hope this helps

      Reply
  2. Sorry one further question. Will this setting automatically apply to any future devices that are connected to our Azure AD

    Reply
  3. Hello Andrew,

    I have enabled it in the Azure tenant and then created the policy, however getting error “rotateLocalAdminPassword Failed” any idea?

    I have checked for other conflicting policies and disabled any that could be.

    I have an account created with that name.

    I have re-created the policy and left it with the default admin account to see if that works.

    all to no avail.

    Reply
  4. Sorry, a little dense today. I’ll run this PS once from my workstation and then it handles the rest? Or packaging this as a Win32 app to deploy as an app in Intune.

    Reply
  5. Do I have to run it on each machine in the environment or just one machine and it will do the rest of the systems? Trying to implement LAPS in an AAD environment with a new local admin.

    Reply
  6. Thank you again. I have installed but seeing errors on the devices it’s being pushed to: -2016281112, though when i look at the devices, the new user is there and in the administrators group on the system. Also not seeing the password in Intune. Anything I should be looking for? I’m missing?
    Setting name
    Setting status
    Error code
    Password [./Device/Vendor/MSFT/Accounts/Users/mediadmin/Password]
    Error
    -2016281112
    LocalUserGroup [./Device/Vendor/MSFT/Accounts/Users/m1admin/LocalUserGroup]
    Error
    -2016281112

    Reply
  7. Hi again Andrew,
    sorry but I am not into Graph, Let’s say my group is “AADJ-Devices”, what line should I change?

    $lapsassignjson = @”
    {
    “assignments”: [
    {
    “target”: {
    “@odata.type”: “#microsoft.graph.allDevicesAssignmentTarget”
    }
    }
    ]
    }
    “@

    Reply
  8. It seems that “microsoft.graph.groupAssignmentTarget” does not have such a property (groupID):
    “The property ‘groupId’ does not exist on type ‘microsoft.management.services.api.allDevicesAssignmentTarget’.”
    Maybe be another microsoft.graph.XXX data type?

    Reply
  9. My fault, I didn’t switch allDevicesAssignmentTarget for groupAssignmentTarget… It worked like a charm!
    Thanks again for sharing your knowledge!

    Reply
  10. You are a mad genius. Thank you.

    How to mod/cut off the script only to create the local admin user and to assign it to the administrators group?

    The reason: I already have LAPS enabled in intune and it works. Need a unified admin account on all intune joined windows devices because currently the intune laps policy applies only to devices that already have that particular admin account and ignores the rest of the devices.

    Thank you in advance.

    Reply

Leave a Comment