S04E17 - Windows LAPS(I.T)

  Рет қаралды 11,587

Intune Training

Intune Training

Күн бұрын

Пікірлер: 32
@aydenburns4818
@aydenburns4818 Жыл бұрын
Very helpful - thank you
@kwiw
@kwiw Жыл бұрын
Thank you for the walk-through. As a previous poster said: Please don't edit your videos unless you really need to or the wait would be too long! The good stuff comes from you coursing through the level of working it out. Also (and maybe this is already in your pipe) I think there would be value in adding a video where you explore the Org. messages feature in Intune. Albeit not that technically difficult it is a really nice feature (especially the Get Started app customization) that I completely missed up until the other day! Keep on doing what you do - you do it very well!
@olegproscurchin8200
@olegproscurchin8200 Жыл бұрын
Great video, but was good to make a recap at the end to understand if that last "Enable local admin password management" policy is actually required :)
@Hans-gb4mv
@Hans-gb4mv Жыл бұрын
You're wromg Steven, it was the April update that introduced Windows LAPS as far as I know. I've enabled it a few weeks ago for my Windows 11 machines that we want to start rolling out in august on all our new machines, and that rollout will be the first step in ditching on-prem AD for our client devices. I wanted to go pure azure AD joined, but some internal constraints still require me to domain join those machines. Although they do end up in an OU where inheritance is disabled and just a handful of GPOs are linked back in. I love the new Windows LAPS, finally an easy way to rotate the password and ensure it works, even if there is no line of sight to your domain controllers and an interface that is less complex and, I assume, more easy to audit. For the complexity, I did not include the special characters, but I did increase the length, as my helpdesk didn't like it when they had to spell out the password in a rare case where the user had to regain access to the laptop before being able to start up the VPN to sync up the reset password (no pre-login VPN available at the moment). The one thing I have not looked at yet, what if you have a GPO active for the old LAPS and then enable Windows LAPS, who will take priority? Anyone know? Or is it best that if I want to go that route that I do ensure the CSE is uninstalled and the GPO is gone?
@RR-lb2dt
@RR-lb2dt Жыл бұрын
From your experience how quickly does the rotated/new passwords sync to intune? would be nice to have the password reset after every logon but if it takes a while for the new password to go onto intune portal then could imagine how annoying it would be for the helpdesk
@Hans-gb4mv
@Hans-gb4mv Жыл бұрын
@@RR-lb2dt it should be minutes, if the machine is properly connected and Intune isn't taking its sweet time to replicate the information in the background. But note that you can't automatically reset after every logon. The automated rotation happens time based, you can set it to expire 1 hour after logon, but that's the closest you'll get to avoid abuse. If you want your users to be able to execute tasks as admin, start looking at something like EPM.
@shivaani-sures
@shivaani-sures 7 ай бұрын
Thank you for the clear steps guidance. It really helped.
@ThorstenSauter
@ThorstenSauter Жыл бұрын
Windows LAPS is supported since the April Updates. It's been running really well so far.
@noahdelarosa5710
@noahdelarosa5710 Жыл бұрын
Your instructional videos are amazing. Qq. When you created the Windows LAPs group, is this group a user specific or device specific?
@IntuneTraining
@IntuneTraining Жыл бұрын
Should be a device group.
@ToTCaMbIu
@ToTCaMbIu 10 ай бұрын
I used a user group, and it worked for me.
@Accolades70
@Accolades70 Жыл бұрын
Great lesson...
@Michael82992
@Michael82992 Жыл бұрын
@intune training; great video as always 😊 the policy does not activate/enable the administrator account right?! As by default the administrator account is disabled, isn’t leaving the account disabled a better security solution. Isn’t just adding an (additional) local administrator from intune a simpeler solution?! Just looking for a best practice 😊
@Hans-gb4mv
@Hans-gb4mv Жыл бұрын
Best practice would indeed be to create a new account and add it to the local administrators group. There's a video from I.T on how to do that as well.
@borjagomezvillar2982
@borjagomezvillar2982 Жыл бұрын
Great video guys! So it was not showing any password in the beginning because of the second setting you enabled in the settings catalog option? I understood: first step azure, second settings catalog with the two options and third the laps policy? 🙏
@ricardogoncalves3202
@ricardogoncalves3202 8 ай бұрын
Hey gents as you stated you cannot run this together with On-premise LAPS, do you perhaps have a guide i can use to remove the current On-premise LAPS setup and only setup the Azure LAPS. Your assistance would be greatly appreciated.
@IntuneTraining
@IntuneTraining 8 ай бұрын
This is how we migrated in prod learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-deployment-migration
@computeraidedworld1148
@computeraidedworld1148 Жыл бұрын
This is excellent, however Steve, your audio is hard to make out. Maybe if your audio could be recorded separately from the video call. I don't know if it's the compression or just your mic.
@anthonynichol6981
@anthonynichol6981 Жыл бұрын
Where in the policy do you set the username?
@daywork1849
@daywork1849 Жыл бұрын
it works from me, but i did enable the local admin account from Computer management! in this case is that correct?
@krishnap2k3
@krishnap2k3 Жыл бұрын
Is there anyway enduser can access his LAPS password from a portal? Or is it the Cloud LAPS with Enterprise App scenario?
@Hans-gb4mv
@Hans-gb4mv Жыл бұрын
Why would you want end users to be able to access the password? Then you might as well simply give them an account to play with like in the good old days. The goal is to have an account available in case of emergency. When things go wrong.
@krishnap2k3
@krishnap2k3 Жыл бұрын
Thanks @@Hans-gb4mv, I am workign with a client now, they have a handfull of developers need the local admin password time to time. But fo Sec Ops and other compliances sake, he want to use the LAPS as a solution with these developer users access their local admin password on on-demand basis. Unless you suggest anyother best method to acheive this? Also a quick question - what is the best practice/method? 1. using the non-licensed user account for admin access? or 2. LAPS?
@Hans-gb4mv
@Hans-gb4mv Жыл бұрын
@@krishnap2k3 if compliance is key, I would look at a proper privilege management solution so that you can limit the applications that can be run in a privileged context and get logging on when they were executed that way. Microsoft released EPM some months ago which can accomplish this, but it is still missing one key component at this moment imho that they are working on, namely the option to request for an application to be executed to your support team. You can also find other solutions out there that work in a similar fashion if you want to have a look outside of Intune. None of those solutions are free, but if it is just a handful of people, Microsoft's EPM isn't that expensive. If it really must be something like LAPS and you don't want people to have admin access at random times, all the time then those people will have to contact someone in IT support every single time to get the latest LAPS password.
@RicardoSanchezJr
@RicardoSanchezJr Жыл бұрын
Can you set a specific password?
@justinmerwin8258
@justinmerwin8258 Жыл бұрын
Why a windowslaps group and not assigned to all devices?
@ToTCaMbIu
@ToTCaMbIu 10 ай бұрын
Assigning any policy to all devices is bad practice. Instead, you should have a dynamic group with all devices in it. However, I would assign my policies to user groups rather than device groups. There are scenarios with iPhone and Android where you want to use device groups, but this is a discussion for another time.
@Eschguy
@Eschguy Жыл бұрын
Never knew about .\NAME, I've always done localhost\ **The more you know**
@Hans-gb4mv
@Hans-gb4mv Жыл бұрын
Here's another top tip: you wanna ping localhost to see if your network stack is still functional? Ping 127.1
@hyugai
@hyugai Жыл бұрын
it would be good if intune can extend this to macOS too
@SprinbokInTheSnow
@SprinbokInTheSnow Жыл бұрын
Plz don’t edit the videos. That’s the best learning time. Especially as I follow along in my lab 😊
S04E10 - Removal of Inbox Apps - New store edition (I.T)
17:23
Intune Training
Рет қаралды 7 М.
Why no RONALDO?! 🤔⚽️
00:28
Celine Dept
Рет қаралды 118 МЛН
Quando eu quero Sushi (sem desperdiçar) 🍣
00:26
Los Wagners
Рет қаралды 13 МЛН
One day.. 🙌
00:33
Celine Dept
Рет қаралды 77 МЛН
Windows LAPS in 9 mins: Hackers DON’T watch this!
8:55
Azure Academy
Рет қаралды 25 М.
What is Microsoft (LAPS) Local Administrator Password Solution?
8:14
Trolling Hackers with a Honeypot and how you can too
20:08
Gnar Coding
Рет қаралды 8 М.
Windows Local Administrator Password Solution (LAPS)
53:31
John Savill's Technical Training
Рет қаралды 49 М.
2023E08 - Android Provisioning (I.T)
27:45
Intune Training
Рет қаралды 7 М.
S04E02 - Local Users and Groups - (I.T)
39:14
Intune Training
Рет қаралды 13 М.
Keeping passwords secure with Windows LAPS
38:29
Windows IT Pro
Рет қаралды 3,1 М.
2023E16 - Android Personally Owned Work Profile Enrollment (I.T)
24:58
Why no RONALDO?! 🤔⚽️
00:28
Celine Dept
Рет қаралды 118 МЛН