I’m not writing a post covering Windows LAPS or how to set it up, there are many excellent articles out there which have you covered.
For this one, you can automate the setup, not only of the LAPS policy, but also creating a new local administrator on the device to use with it. It will even toggle the setting in AAD if you haven’t done so already!
The default configuration for Windows LAPS is to re-enable the default local admin (and you can also rename it), but the SID remains the same so fo extra security we will create a whole new user account.
And here is the new script. As usual you can find it on GitHub Here
Or on the PSGallery
Install-Script -Name configure-laps-intune
This script can take an account name parameter at the command line, or if one isn’t passed, it defaults to “lapsadmin”.
Whilst LAPS will handle the password moving forward, we want it to be secure from the start so it generates a random 20-digit password to be extra careful.
LAPS is then configured with these settings (the account name will match anything sent in the parameter)
Finally, it assigns both policies to All Devices
11 thoughts on “Automating and Securing Windows LAPS for Azure AD/Intune”
Appreciate you always looking under the hood right away, thank you for the information!
Glad you find it useful, first place I look when these are released is what’s going on in Graph 🙂
Hello Andrew, thanks for the script.
Glad you’re finding it useful!
Firstly thank you for this article & script.
Please excuse my ignorance, as I am new to this, but once it password has been randomly selected, where would I be able to find the password when I need to log in with the local admin account?
If you look at the Device details in Intune there is a new menu item called “Local Admin Password”. That will display the password for you.
You can also access it through Azure AD Devices as well if you would prefer
Hope this helps
Perfect, thank you for your help and quick reply.
Sorry one further question. Will this setting automatically apply to any future devices that are connected to our Azure AD
Yes, it is targeting all devices so as soon as they are enrolled into Intune, the policy will apply
I have enabled it in the Azure tenant and then created the policy, however getting error “rotateLocalAdminPassword Failed” any idea?
I have checked for other conflicting policies and disabled any that could be.
I have an account created with that name.
I have re-created the policy and left it with the default admin account to see if that works.
all to no avail.
Did the account create correctly? Do you have any old on-prem LAPS setup?