Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Local Admin Password Solution (LAPS) on Intune

            Modified on Wed, 19 Jul, 2023 at 8:50 AM

            References: 

            Manage Windows LAPS with Microsoft Intune policies | Microsoft Learn 


            Implementation Requirements:

            Licensing requirements:

            Intune subscription - Microsoft Intune Plan 1, which is the basic Intune subscription

            Active Directory subscription – Azure Active Directory Free


            Device Requirements:

            Windows 10 or Windows 11 with April 2023 Cumulative Update



            Administration Requirements:

            Currently only the following default 365 roles can view the current local password for a device:

            - Global Administrator

            - Cloud Device Administrator

            In the future, Azure AD will add support for assigning the required permissions to custom Azure AD roles.


            Our implementation:


            The local account configured for our default LAPS policy is:


            CRST


            This account is provisioned using a script deployed to all intune devices. The script will not edit the account once provisioned and the password is not shown in the output or script logs therefore the account cannot be used until the LAPS policy kicks in and the password is saved to the device object. The script is below and can also be found in

            CRST IT Support - Documents\01_Central Store\12_Scripts and Batch Files\Intune:


            Import-Module Microsoft.Powershell.Localaccounts

$adminName = "CRST"
$existingAccount = Get-LocalUser | Where-Object { $_.Name -eq $adminName }

if ($existingAccount) {
    exit
}

Function Get-RandomPassword
{
    #define parameters
    param([int]$PasswordLength = 10)
 
    #ASCII Character set for Password
    $CharacterSet = @{
            Uppercase   = (97..122) | Get-Random -Count 10 | % {[char]$_}
            Lowercase   = (65..90)  | Get-Random -Count 10 | % {[char]$_}
            Numeric     = (48..57)  | Get-Random -Count 10 | % {[char]$_}
            SpecialChar = (33..47)+(58..64)+(91..96)+(123..126) | Get-Random -Count 10 | % {[char]$_}
    }
 
    #Frame Random Password from given character set
    $StringSet = $CharacterSet.Uppercase + $CharacterSet.Lowercase + $CharacterSet.Numeric + $CharacterSet.SpecialChar
 
    -join(Get-Random -Count $PasswordLength -InputObject $StringSet)
}
 
#Call the function to generate random password of 8 characters
$password = Get-RandomPassword -PasswordLength 12
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force

$admin = New-LocalUser -Name $adminName -Password $securePassword -AccountNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member $admin.Name


            You can view/edit or create new LAPS policies to assign to specific devices in 

            Intune Admin Center > Endpoint Security > Account protection


            The script and LAPS policy is applied to the built-in group below:

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0