I’m not writing a post covering Windows LAPS or how to set it up, there are many excellent articles out there which have you covered.
For this one, you can automate the setup, not only of the LAPS policy, but also creating a new local administrator on the device to use with it. It will even toggle the setting in AAD if you haven’t done so already!
The default configuration for Windows LAPS is to re-enable the default local admin (and you can also rename it), but the SID remains the same so fo extra security we will create a whole new user account.
And here is the new script. As usual you can find it on GitHub Here
Or on the PSGallery
Install-Script -Name configure-laps-intune
This script can take an account name parameter at the command line, or if one isn’t passed, it defaults to “lapsadmin”.
Whilst LAPS will handle the password moving forward, we want it to be secure from the start so it generates a random 20-digit password to be extra careful.
LAPS is then configured with these settings (the account name will match anything sent in the parameter)
Finally, it assigns both policies to All Devices