Managing local administrator accounts on multiple devices can be a daunting task.
However, with the advent of Microsoft Intune and the Windows Local Administrator Password Solution (LAPS), this process has become significantly streamlined. In this post, we'll explore the step-by-step process of configuring Windows LAPS using Intune, allowing administrators to efficiently manage local administrator accounts across devices. Here are the pre-requisites:
1. Licensing requirements
- Intune subscription | Microsoft Intune Plan 1, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.
- Active Directory subscription | Azure Active Directory Free, which is included with your Azure subscription allows you to use all the features of LAPS.
Intune policy for Windows LAPS can configure a device to back up a local administrator account and password to one of the following Directory types:
- Cloud | Supports back up to your Azure AD for the following scenarios:
- Hybrid (Hybrid Azure AD join)
- Azure AD Join
- On-premises | Supports back up to Windows Server Active Directory (on-premises Active Directory).
3. Operating System
Devices can have any Windows edition that Intune supports, but must run one of the following versions to support the Windows LAPS CSP:
- Windows 10, version 22H2 (19045.2846 or later) with KB5025221 - April 11, 2023
- Windows 10, version 21H2 (19044.2846 or later) with KB5025221 - April 11, 2023
- Windows 10, version 20H2 (19042.2846 or later) with KB5025221 - April 11, 2023
- Windows 11, version 22H2 (22621.1555 or later) with KB5025239 - April 11, 2023
- Windows 11, version 21H2 (22000.1817 or later) with KB5025224 - April 11, 2023
This approach consists of two essential parts that seamlessly integrate to enhance local administrator account management:
- Creating & deploying Local Admin account via Intune on all devices. (Optional)
- Enabling and Configuring Windows LAPS
Note | If you have already deployed local admin accounts to your devices then you can skip Part 1. You also won’t be needing this if you are using your built-in Administrator account as local admin (Not Recommended).
Now, let’s dive into each of these to understand their significance and how they contribute to a streamlined and secure administrative experience.
Part 1: Creating & Deploying Local Admin Account via Intune (optional)
To begin, create a custom configuration profile with two settings. The first creates the local user account on the device and the second setting adds it to the Admin. group.
- Login on Microsoft Intune admin center.
- Go to Devices > Configuration profiles> + Create profile.
- Select Platform as Windows 10 and later.
- Profile type as Templates.
- Provide a Name of the profile: Windows_CreateLocalAdminAccount
- Description: This custom device configuration profile will create a local administrator account called localadmin on all Intune managed devices.
- Click on Add button to add OMA-URI settingsand provide below details:
- Name: Create Local User Account
- OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/localadmin/Password
- Data type: String
- Value: Admin@123
- Click on Save
- Click on Add button again to add OMA-URI settings and provide below details:
- Name: Add user to Local administrator group
- OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/localadmin/LocalUserGroup
- Data type: Integer
- Value: 2
- Assignments tab
- Create an Azure AD Security group which contains users or devices where this custom device configuration profile needs to be deployed. Please note that if you add users into the list, local admin account will be created on all of the user’s devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices, then you should add DEVICES in the Azure AD security group not USERS.
- To deploy it on all end user devices, you can click on + Add all devicesto target all devices which are enrolled into Intune.
- Applicability Rules
- You can choose to apply the applicability rule based on your requirements but for now we are leaving it blank.
- Review + Create.
- On Review + Create tab, review the device configuration profile and click on Create. As soon as you click on create button, The device configuration profile will be created and process to create a local admin account will begin on the targeted devices.
Verification on the End-User side
Once the policy is synced and deployed to the respective devices. Here’s how it will look:
- Navigate to Computer Management (compmgmt.msc), and upon expanding the Local Users and Group section, we have the localadmin account created here.
- Now, let’s verify whether the same localadmin account got added as a part of Administrator group.
In our next blog, we will embark on the second stage of our implementation journey: Enabling and Configuring Windows LAPS (Local Administrator Password Solution).
In the meantime, we encourage you to share your experience or ask any questions you may have.