Let’s understand the Easy Way to Enable Intune LAPS (Local Administrator Password Solution) in the Endpoint Manager portal. I’m excited about the free community tools available for Intune. This is one of the hottest topics within the organization. This LeanLAPS uses the Proactive Remediation feature of Intune to implement LAPs.
Jos Lieben, Freelance Azure & M365 DevOps Engineer, is here to help organizations to implement the lightweight LAPS (Local Administrator Password Solution) for Microsoft Endpoint Manager Intune. Let’s use this community LAPs solutions to automatically manage local administrator passwords for Azure AD joined Windows 10 computers.
The initial idea of this solution came from Rudy Ooms 🇱🇺, Microsoft MVP Enterprise Mobility and he worked with Jos to fix some of the critical bugs in this solution. Read more about in his blog post THE LAPS: RELOADED / REVOLUTIONS.
NOTE! – Check the Copywrite details before start using it for your organization – copyright: 2021, Jos Lieben, Lieben Consultancy, not for commercial use without written consent.
Introduction
Generally, LAPS simplifies password management and helps customers to implement the recommended defenses against cyberattacks. The Intune Lightweight LAPs (LeanLAPS) solution mitigates the risk of lateral escalation that results when admins use the same administrative local account and password combination on all Windows 10 computers.
Jos build lightweight LAPs solution for Intune with the help of Intune Proactive Remediation feature. I have a post that explains the Deploy Proactive Remediation Script Using Intune in a bit more detail.
NOTE! – You need to change the user name & password from the LeanLAPS.ps1 script before uploading it to your Intune environment. Also, there is already a fix that included removing the password log from the registry after it was written by IME.
Easy Way to Enable Intune LAPS | Local Administrator Password Solution
First step is you need to download the LeanLAPS PowerShell script from GitLab. You can download the script using RAW option using the following link.
https://gitlab.com/Lieben/assortedFunctions/-/raw/master/leanLAPS.ps1
Start Intune LAPS Implementation
Let’s create a Proactive Remediation script deployment for Intune Local Administrator Password Solution using LeanLAPS script downloaded above. The following steps should be followed:
Launch endpoint.mirosoft.com portal.
Navigate to Reports – Endpoint Analytics.
Click on Proactive Remediation.
You can click on + Create script package button as shown in the below screenshot.
Upload the LeanLAPS.ps1 script downloaded above to MEM Intune portal.
Enter the Name and Description Intune Lean LAPs. Click on NEXT button.
Now, use the PowerShell script (LeanLAPS.ps1) that you have download using the RAW link in the above section. Create a custom script package from scripts you’ve written. By default, scripts will run on assigned devices every day.
Detection script file -> Upload LeanLAPS.ps1
Remediation script file ->Upload LeanLAPS.ps1
NOTE! – Make sure that you selected 64 – Run script in 64-bit PowerShell.
Frequency of Password Change – Intune LAPS
Let’s understand how to set the Frequency of Password Change in Intune LAPS setup.
From the Assignment tab in the MEM Intune admin portal, select the Azure AD DEVICE group (Jose mentioned that the user group is not going to work). Once the Device group is selected click on the EDIT button by clicking on … (3 dots option) as shown in the below screenshot.
NOTE! – Change the frequency of password – You can change the password as per your organizational requirement. Intune Proactive Remediation feature can control how often the password is reset.
- Use the Frequency drop down option – Hourly or Daily options.
Further Configurations and Tips
Now, the LeanLAPS solution is ready to use. However, it’s important to check the following blog post from Jos Lieben. This is to make sure you have an option to end-to-end life cycle management of local admin passwords.
Make sure you have selected the additional columns from Device Status -> to get the latest password details.
- Pre-remediation detection output
- Post-remediation detection output
https://www.lieben.nu/liebensraum/2021/06/lightweight-laps-solution-for-intune-mde/
NOTE! – Security requirements should be looked at from your organization’s security perspective before implementing this LAPs solution.
Resources
https://howtomanagedevices.com/intune/1535/deploy-powershell-script-using-intune/
Great Article
Very Informative
excellent contribution thank you very much
I have a question in some machine logs I am getting the message REDACTION what does this mean?
I also got “REDACTED” in some computers instead of the password. Any feedback?
Hi very interesting.
I followed all the steps…the post remediation gave me the new password and also on the event viewer everything it’s ok, but the local admin password is not changed actually…Any suggestion?
Thanks
Hey – I think it is better to contact the owners of the script/solution via GitHub etc…
The logging for the remediation output posted back to Intune is written in plain text to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log, which has NTFS ACLs as Everyone\RW and Users\RO; you can confirm for yourselves in the event our laptops are special. If so, probably a bit too risky for untrustworthy local non-admins!