Nice work!

Do I get this right? You are using the default admin user when no network, using the last generated password?

Hi, in this example - the device is Entra ID joined….

Yes, you are right. I should’ve covered that in the video

I'm pleased you find them useful. I hope the migration goes well.

What about the creation of the local admin account? LAPS works fine only if the local account exists. If the local account does not exist, LAPS won't create it and therefore won't work.

@@EricDyott If you retain the default name of the local admin account, is this step unnecessary?

@@AdamskiHamski We want to avoid using the default "Administrator" account and prefer to use a custom account name like "ITAdmin". When deploying systems with Autopilot, where IT does not physically interact with the machines, LAPS is ineffective as the account was never created on the device. We are considering using PowerShell to establish the local account, but this approach presents its own challenges.

Yes, if you want to create an admin account with a different name to the built in admin account, then you’d need to create that account first. That is my understanding.

Yes…. That’s right

Thank you.

Bro get this, DOUBLE CLICK on the entry. There is no hyperlink visual context.

@@Wahinies LOL, i did try that, but nothing happen. the only thing that can be click on is the device name, as can be seen in blue @6:50 in this video.

Drat I missed a step, yeah i think its click on the device then device compliance status then there is the list that responds to double click .. every time I have had to troubleshoot compliance its this process

It depends on the policy or condition affecting it and even then after the condition is remediated it can take five minutes to HOURS for it to reflect its one of the worst parts of Intune management.

You can't 'force' a device to be complaint, it either is or it isn't based on your compliance policy. If you mean how do you update device compliance details, you can either pull a 'Sync' via Endpoint Manager, or push a 'Sync' using the Company Portal app.

@@chriso1523 Not yet.

Not with LAPS, but there is another feature in M365 that can do this….. I’ll create a video soon.

@@bearded365guy what's that video

LAPS is available for use with all Microsoft Entra licenses, including Microsoft Entra ID Free that comes with Business Basic and Standard, however, devices making use of LAPS must be Domain Joined (i.e. not just Domain Registered) so your users need to be signing into Entra ID or Entra Hybrid ID.

As David said…… Get Business Premium and you’re life is good.

Yes, you can change this to NONE or SELECTED and choose a user. It’s the account you’re using to add the device to Entra ID.

You are practically thinking….. but if everyone in the desktop support team knows the password for the admin for each device, then it’s probably not as secure as it could be.

Microsoft 365 Admin app??

@@bearded365guy no I’m not suggesting the password be known as that contradicts with why you are doing LAPS in the first place (I couldn’t remember 30 or 64 character alphanumeric with symbols anyways) but imagine you are the techie needing to go and get the password from intune.. how do you best do that and maintain security? Not a theoretical exercise. Oh and the admin password is not accessible if say you install the m365 admin app on iPhone. That app is close to useless.

It’s something to consider…

@@rickbellaus Intune (Endpoint Manager) is just a website, and be be accessed just as easily on a mobile browser, as a laptop/desktop browser. OK, would be a pain copying 30 characters from one screen to another but you'd have the password you needed right in front of you, and still securely accessed.

Yes, we need the local admin enabled! I don’t quite understand your second question….

@@bearded365guy Well, laps is in case the user needs local admin right temporarily right? So you want a pop up with windows asking for username and password for local admins if a user runs something that requires privilege. But, if in Azure, at least on a few laptops i have, i dont get that pop up to write local admin user info, i just get denied.

For the first issue, LAPS will still rotate the passwords for the local administrator even though no one will be able to use it. What I did in my environment was create a configuration profile that enables the local administrator for all devices.

I created a different user as to not enable the default admin (a security risk, but admittedly mitigated if LAPS is implemented well (password rotation)). But that does create extra work and is probably untenable for large organizations as creating a user on 100s/1000s of devices would be a lot of work without good automation tools. As to the second question, sounds like a GPO is in place to make UAC the most stringent. Ours is set to prompt for an admin account when privilege escalation is needed.

I’ve used powershell to install my local admin before or sometimes after autopilot runs. 2. In security baselines there is a setting to allow elevations. I ran into this before when first starting so a little bit of tweaking helped .

LAPS is a fantastic attack vector? I'm not sure I agree. LAPS allows a pretty frequent password rotation, so unless your M365 is hacked (at which point you're likely really screwed anyway), it certainly beats doing nothing or leaving default admin enabled. I realize there a solutions like CyberArk that would be superior, but I think LAPS strikes a good balance, particularly if you already have Business Premium.

​@@robertneal1973 All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell ...)

@@robertneal1973 All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell etc.)

All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell ...)

you don't

The password is not stored in Intune, but it is on Entra ID

@benjamintestart so are you telling me if the internet goes down I won't be able to log in to the local admin account? Hmmmm....

How often your internet go down? LAPS might not be suitable in your environment if you dont have consistent internet connection.

Agree with the comments, it's a risk for sure, but should be generally an outlier while there's tons of upside.

Does what matter? I'm a one person IT shop, if that's what you're asking. LAPS is great!