I literally just implemented this in our organization last week! Nice to have a way to still provide admin in offbeat scenarios (e.g., device has no network/internet access and perhaps the fix is a situation that requires privilege elevation). Also makes auditors happy that I can say the password is different for every device and can be rotated. Great stuff, Johnathan!
Thanks Jonathan! We'll be completing a migration from on-prem AD to Entra/M365 in the next few weeks and so many of your videos are proving invaluable as we prepare for the move. Please keep them coming!
What about the creation of the local admin account? LAPS works fine only if the local account exists. If the local account does not exist, LAPS won't create it and therefore won't work.
@@AdamskiHamski We want to avoid using the default "Administrator" account and prefer to use a custom account name like "ITAdmin". When deploying systems with Autopilot, where IT does not physically interact with the machines, LAPS is ineffective as the account was never created on the device. We are considering using PowerShell to establish the local account, but this approach presents its own challenges.
Yes, if you want to create an admin account with a different name to the built in admin account, then you’d need to create that account first. That is my understanding.
@5:17 "Note if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting won't cause the account to be created."
Super Helpful - Thanks Jonathan! The passwords LAPS creates are pretty crazy and hard to type in.. using copy and paste would be useful for Elevated UAC prompts, but looks like windows doesn't allow you to paste in the UAC window - any ideas?
very helpful video! Also I appreciated the less "whoosh" sounds with the animations. They freak out my dog (totally not your problem but it was very much appreciated)
Great video! one qastion: when we have the local admin password un the intune- is there a way or workflow to share it to a user? Let's say that the user needs to install app and needs Admin privilege- what will happen then?
You talk in your video about setting the "Global administrator role is added to local administrator..." to No, but you left the Registered user being added as a local administrator. Shouldn't that be set to None? Doesn't having the registered user a local administrator defeats the purpose of LAPS?
I have to ask 2 questions that i think i might have problems with if I enable laps. 1. I have local admins disabled as an account, what will happen then? 2. As of now, with Azure security baselines enabled people do not get pop up asking for username/password to install smth, its just says denied, good bye. Why would you recommend here?
@@bearded365guy Well, laps is in case the user needs local admin right temporarily right? So you want a pop up with windows asking for username and password for local admins if a user runs something that requires privilege. But, if in Azure, at least on a few laptops i have, i dont get that pop up to write local admin user info, i just get denied.
For the first issue, LAPS will still rotate the passwords for the local administrator even though no one will be able to use it. What I did in my environment was create a configuration profile that enables the local administrator for all devices.
I created a different user as to not enable the default admin (a security risk, but admittedly mitigated if LAPS is implemented well (password rotation)). But that does create extra work and is probably untenable for large organizations as creating a user on 100s/1000s of devices would be a lot of work without good automation tools. As to the second question, sounds like a GPO is in place to make UAC the most stringent. Ours is set to prompt for an admin account when privilege escalation is needed.
I’ve used powershell to install my local admin before or sometimes after autopilot runs. 2. In security baselines there is a setting to allow elevations. I ran into this before when first starting so a little bit of tweaking helped .
LAPS is available for use with all Microsoft Entra licenses, including Microsoft Entra ID Free that comes with Business Basic and Standard, however, devices making use of LAPS must be Domain Joined (i.e. not just Domain Registered) so your users need to be signing into Entra ID or Entra Hybrid ID.
If you are in the desktop support team and am physically in front of a user pc to install software and have a policy of say min password length under Windows LAPS of say 30, how do you get the admin password from intune when prompted? Thinking practically here…
You are practically thinking….. but if everyone in the desktop support team knows the password for the admin for each device, then it’s probably not as secure as it could be.
@@bearded365guy no I’m not suggesting the password be known as that contradicts with why you are doing LAPS in the first place (I couldn’t remember 30 or 64 character alphanumeric with symbols anyways) but imagine you are the techie needing to go and get the password from intune.. how do you best do that and maintain security? Not a theoretical exercise. Oh and the admin password is not accessible if say you install the m365 admin app on iPhone. That app is close to useless.
@@rickbellaus Intune (Endpoint Manager) is just a website, and be be accessed just as easily on a mobile browser, as a laptop/desktop browser. OK, would be a pain copying 30 characters from one screen to another but you'd have the password you needed right in front of you, and still securely accessed.
@@Wahinies LOL, i did try that, but nothing happen. the only thing that can be click on is the device name, as can be seen in blue @6:50 in this video.
Drat I missed a step, yeah i think its click on the device then device compliance status then there is the list that responds to double click .. every time I have had to troubleshoot compliance its this process
@bearded365guy It would be nice if there was a way for LAPS inside Entra to sync with Azure AD (on-premise) LAPS. This was I could give my team Global Admin read-only access to view the Admin password to any machine when needed.
@8:42 - Did you change the wrong local admin settings ? - just like a locally domain joined pc, the domain admin is added to the local admin group. This allow any of the domain administrators to log into that device and fix any problems. - what you don't want and the reason for LAPS is to give the local user Administrative access to the device, and that what the policy you created in the video does. I watch this video multiple time to see if i miss the part where you disable local User as Administrator option, normally the user that registered the device is the one that will be using the device. So, giving them admin privilege's defeat the LAPS solution.
It depends on the policy or condition affecting it and even then after the condition is remediated it can take five minutes to HOURS for it to reflect its one of the worst parts of Intune management.
You can't 'force' a device to be complaint, it either is or it isn't based on your compliance policy. If you mean how do you update device compliance details, you can either pull a 'Sync' via Endpoint Manager, or push a 'Sync' using the Company Portal app.
LAPS is a fantastic attack vector? I'm not sure I agree. LAPS allows a pretty frequent password rotation, so unless your M365 is hacked (at which point you're likely really screwed anyway), it certainly beats doing nothing or leaving default admin enabled. I realize there a solutions like CyberArk that would be superior, but I think LAPS strikes a good balance, particularly if you already have Business Premium.
@@robertneal1973 All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell ...)
@@robertneal1973 All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell etc.)
All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell ...)
![ทุกครั้งที่หลับตา (Lucid Dream) - AYLA's [ Official MV ]](http://i.ytimg.com/vi/4i1OBAQyv58/mqdefault.jpg)
I literally just implemented this in our organization last week! Nice to have a way to still provide admin in offbeat scenarios (e.g., device has no network/internet access and perhaps the fix is a situation that requires privilege elevation). Also makes auditors happy that I can say the password is different for every device and can be rotated. Great stuff, Johnathan!
Nice work!
Do I get this right? You are using the default admin user when no network, using the last generated password?
Hi, in this example - the device is Entra ID joined….
Thank you Jonathan, very helpful video as always. I will like to add that you will also need to push a configuration policy to enable the local admin.
Yes, you are right. I should’ve covered that in the video
Thank you! This very clearly showed me what I was failing to understand in LAPS!
Thanks Jonathan! We'll be completing a migration from on-prem AD to Entra/M365 in the next few weeks and so many of your videos are proving invaluable as we prepare for the move. Please keep them coming!
I'm pleased you find them useful. I hope the migration goes well.
What about the creation of the local admin account? LAPS works fine only if the local account exists. If the local account does not exist, LAPS won't create it and therefore won't work.
@@EricDyott If you retain the default name of the local admin account, is this step unnecessary?
@@AdamskiHamski We want to avoid using the default "Administrator" account and prefer to use a custom account name like "ITAdmin". When deploying systems with Autopilot, where IT does not physically interact with the machines, LAPS is ineffective as the account was never created on the device. We are considering using PowerShell to establish the local account, but this approach presents its own challenges.
Yes, if you want to create an admin account with a different name to the built in admin account, then you’d need to create that account first. That is my understanding.
@5:17 "Note if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting won't cause the account to be created."
Yes…. That’s right
Super Helpful - Thanks Jonathan!
The passwords LAPS creates are pretty crazy and hard to type in.. using copy and paste would be useful for Elevated UAC prompts, but looks like windows doesn't allow you to paste in the UAC window - any ideas?
If i have remote users, and they're all on Autopilot, what would be the use for LAPS ? Hope to hear from you; i know this is 5 months a little late
Love this. Do you have a video for enabling Bitlocker automatically within Intune?
@@chriso1523 Not yet.
very helpful video! Also I appreciated the less "whoosh" sounds with the animations. They freak out my dog (totally not your problem but it was very much appreciated)
Great video!
one qastion:
when we have the local admin password un the intune- is there a way or workflow to share it to a user?
Let's say that the user needs to install app and needs Admin privilege- what will happen then?
Not with LAPS, but there is another feature in M365 that can do this….. I’ll create a video soon.
@@bearded365guy what's that video
You talk in your video about setting the "Global administrator role is added to local administrator..." to No, but you left the Registered user being added as a local administrator. Shouldn't that be set to None? Doesn't having the registered user a local administrator defeats the purpose of LAPS?
Yes, you can change this to NONE or SELECTED and choose a user. It’s the account you’re using to add the device to Entra ID.
another amazing video - I learned some stuff.
This was an excellent explanation. The best I have seen by some margin!
Thank you.
I have to ask 2 questions that i think i might have problems with if I enable laps.
1. I have local admins disabled as an account, what will happen then?
2. As of now, with Azure security baselines enabled people do not get pop up asking for username/password to install smth, its just says denied, good bye.
Why would you recommend here?
Yes, we need the local admin enabled! I don’t quite understand your second question….
@@bearded365guy
Well, laps is in case the user needs local admin right temporarily right?
So you want a pop up with windows asking for username and password for local admins if a user runs something that requires privilege. But, if in Azure, at least on a few laptops i have, i dont get that pop up to write local admin user info, i just get denied.
For the first issue, LAPS will still rotate the passwords for the local administrator even though no one will be able to use it. What I did in my environment was create a configuration profile that enables the local administrator for all devices.
I created a different user as to not enable the default admin (a security risk, but admittedly mitigated if LAPS is implemented well (password rotation)). But that does create extra work and is probably untenable for large organizations as creating a user on 100s/1000s of devices would be a lot of work without good automation tools. As to the second question, sounds like a GPO is in place to make UAC the most stringent. Ours is set to prompt for an admin account when privilege escalation is needed.
I’ve used powershell to install my local admin before or sometimes after autopilot runs.
2. In security baselines there is a setting to allow elevations. I ran into this before when first starting so a little bit of tweaking helped .
Thanks for great video, may i know which kind of license i need to purchase for this policy? Business standard is sufficient?
LAPS is available for use with all Microsoft Entra licenses, including Microsoft Entra ID Free that comes with Business Basic and Standard, however, devices making use of LAPS must be Domain Joined (i.e. not just Domain Registered) so your users need to be signing into Entra ID or Entra Hybrid ID.
As David said…… Get Business Premium and you’re life is good.
Excellent, thanks
Great, thanks a lot
If you are in the desktop support team and am physically in front of a user pc to install software and have a policy of say min password length under Windows LAPS of say 30, how do you get the admin password from intune when prompted? Thinking practically here…
You are practically thinking….. but if everyone in the desktop support team knows the password for the admin for each device, then it’s probably not as secure as it could be.
Microsoft 365 Admin app??
@@bearded365guy no I’m not suggesting the password be known as that contradicts with why you are doing LAPS in the first place (I couldn’t remember 30 or 64 character alphanumeric with symbols anyways) but imagine you are the techie needing to go and get the password from intune.. how do you best do that and maintain security? Not a theoretical exercise. Oh and the admin password is not accessible if say you install the m365 admin app on iPhone. That app is close to useless.
It’s something to consider…
@@rickbellaus Intune (Endpoint Manager) is just a website, and be be accessed just as easily on a mobile browser, as a laptop/desktop browser. OK, would be a pain copying 30 characters from one screen to another but you'd have the password you needed right in front of you, and still securely accessed.
How can i remove all the current local admins ?
@6:36 -
1. How to see why the device is Noncompliant ?
is there a "see why" button or option.
Bro get this, DOUBLE CLICK on the entry. There is no hyperlink visual context.
@@Wahinies LOL, i did try that, but nothing happen. the only thing that can be click on is the device name, as can be seen in blue @6:50 in this video.
Drat I missed a step, yeah i think its click on the device then device compliance status then there is the list that responds to double click .. every time I have had to troubleshoot compliance its this process
Thank you!
@bearded365guy It would be nice if there was a way for LAPS inside Entra to sync with Azure AD (on-premise) LAPS. This was I could give my team Global Admin read-only access to view the Admin password to any machine when needed.
@8:42 -
Did you change the wrong local admin settings ?
- just like a locally domain joined pc, the domain admin is added to the local admin group. This allow any of the domain administrators to log into that device and fix any problems.
- what you don't want and the reason for LAPS is to give the local user Administrative access to the device, and that what the policy you created in the video does.
I watch this video multiple time to see if i miss the part where you disable local User as Administrator option, normally the user that registered the device is the one that will be using the device. So, giving them admin privilege's defeat the LAPS solution.
@6:36 -
2. How to make/Force the device to be compliant ?
It depends on the policy or condition affecting it and even then after the condition is remediated it can take five minutes to HOURS for it to reflect its one of the worst parts of Intune management.
You can't 'force' a device to be complaint, it either is or it isn't based on your compliance policy. If you mean how do you update device compliance details, you can either pull a 'Sync' via Endpoint Manager, or push a 'Sync' using the Company Portal app.
What a fantastic attack vector for an organisation!! Built for hackers, powered by Microsoft 😉 Interesting topic and a great video.
LAPS is a fantastic attack vector? I'm not sure I agree. LAPS allows a pretty frequent password rotation, so unless your M365 is hacked (at which point you're likely really screwed anyway), it certainly beats doing nothing or leaving default admin enabled. I realize there a solutions like CyberArk that would be superior, but I think LAPS strikes a good balance, particularly if you already have Business Premium.
@@robertneal1973 All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell ...)
@@robertneal1973 All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell etc.)
All IT systems rely on users trusting suppliers to develop secure solutions, therefore, assuming that LAPS is secure, I agree with your point - having different and rotating passwords per machine is more secure than a 'master password'. My point is based on the possibility of a vulnerability being found, per almost every hack ever hacked. An 'over-the-wire' system for controlling local administrator access is a prime target for hackers. Imagine: one PC becomes infected with a RAT, from there the hacker can arp-scan the network to get IPs, sniff the network for LAPS communications to extract security information then and develop a suitable man-in-the-middle API call to reset local admin passwords. This would simply not be possible if the LAPS system did not exist, and hence my point that this is a fantastic attack vector for hackers. Of course, if the system is secure, there's nothing to worry about but I'm sure that every systems administrator / designer on the planet would say that their system is secure until proven otherwise (Solar Winds, Wannacry, Log4Shell ...)
What happens if Intune goes down? How do you get the password?
you don't
The password is not stored in Intune, but it is on Entra ID
@benjamintestart so are you telling me if the internet goes down I won't be able to log in to the local admin account? Hmmmm....
How often your internet go down? LAPS might not be suitable in your environment if you dont have consistent internet connection.
Agree with the comments, it's a risk for sure, but should be generally an outlier while there's tons of upside.
I’m just one person , does it matter.?
Does what matter? I'm a one person IT shop, if that's what you're asking. LAPS is great!