Windows LAPS - mattnovitsch/M365 GitHub Wiki

Summary

Looking to deploy Windows LAPS for your workstations and servers? We can handle that in two different ways. First, deploying with Intune this allows you to configure it via Intune Account Protection Policy. The second option is pushing a Group Policy Object(GPO), that has this but would need to update the Schema and setting permissions accordingly.

Intune Deployment

Steps:

Open Entra
Navigate to Devices > All Devices > Device Settings.
Scroll down and make sure Enable Microsoft Entra Local Administrator Password Solution(LAPS) is set to Yes and click Save.

Navigate to Intune
Navigate to Endpoint Security > Account Protection > Create Policy. Select Windows as the Platform and Local admin password solution(Windows LAPS) as the profile.

Give the policy a name, I'm going with the very original name of "Windows LAPS"

Settings:

a. Backup Directory: Backup the password to Azure AD Only b. Password Age Days: 30 c. Password Complexity: Large letters + small letters + numbers + special characters (improved readability) d. Password Length: 64 e. Post Authentication Actions: Reset the password and reboot; upon expiry of the grace period, the managed account password will reset and the managed device will be immediately rebooted. f. Post Authentication Reset Delay: 24

Assign group of devices/users you want to apply this too. I'm being a lazy admin in my lab and clicking All Devices. I would highly recommend doing a small test group of machines first. Save it and your are done.

Update the policy on your targeted device.
Navigate to Device > Windows > Select the device you pushed the policy too > Local admin password.

Group Policy Object Deployment

Steps:

Log into the Domain Controller with Domain Admin or Schema Admin.
Open Administrator PowerShell Window
Run the following command: Update-LapsADSchema. You should get a message stating you need to update ms-LAPS-Password schema attribute to your AD Schema.

Once that is complete you need to give LAPS permission to update the computer object in AD. This is done by entering this command Set-LapsADComputerSelfPermission -Identity 'CN=Computers,DC=CompanyName,DC=com'. Please remember to change the CompanyName and possibly the com to match your origination.

Now we need to create the Group Policy Object to define our configurations. Open Group Policy Management.
Either create a new policy or add this to your default domain policy. Note: I would recommend using a separate policy so you can target machines or Organizational Units(OUs)
Navigate to Computer Configuration > Policies > Administrative Templates > System > LAPS Note: There are several options here and depending on your requirements you may need to add or take away from what I am recommending here
Settings: a. Configure size of encrypted password history. Enable and configure to the number of passwords stored.

b. Enable password encryption. Enable this.

c. Configure password backup directory. Backup directory Active Directory or Azure Active Directory.

d. Do not allow password expiration time longer than required by policy. Enabled

e. Password Settings. Enabled, this one is going to require whatever your current origination standards are.

f. Post-Authentication actions. Enabled and set per origination standards.

For limiting to a small scope of test machines. Remove Authenticated Users from the Security Filtering and add the group of users/devices you want to test with.
Open an administrator command prompt on a workstation/server that you targeted. Run gpupdate /force to get the policy.

Open Active Directory Users and Computers. Navigate to a device you preformed a gpupdated on. Click the LAPS tab, and you should see information in there.

Troubleshooting

If your LAPS tab is empty try running the schema update again, then another gpupdate. I ran into this issue with my lab that I didn't know about the commands beforehand and my LAPS tab was empty.

You can also check in the event viewer(Applicaitons and Services > Microsoft > Windows > LAPS > Operational).