Great video, but was good to make a recap at the end to understand if that last "Enable local admin password management" policy is actually required :)
Thank you for the walk-through. As a previous poster said: Please don't edit your videos unless you really need to or the wait would be too long! The good stuff comes from you coursing through the level of working it out. Also (and maybe this is already in your pipe) I think there would be value in adding a video where you explore the Org. messages feature in Intune. Albeit not that technically difficult it is a really nice feature (especially the Get Started app customization) that I completely missed up until the other day! Keep on doing what you do - you do it very well!
You're wromg Steven, it was the April update that introduced Windows LAPS as far as I know. I've enabled it a few weeks ago for my Windows 11 machines that we want to start rolling out in august on all our new machines, and that rollout will be the first step in ditching on-prem AD for our client devices. I wanted to go pure azure AD joined, but some internal constraints still require me to domain join those machines. Although they do end up in an OU where inheritance is disabled and just a handful of GPOs are linked back in. I love the new Windows LAPS, finally an easy way to rotate the password and ensure it works, even if there is no line of sight to your domain controllers and an interface that is less complex and, I assume, more easy to audit. For the complexity, I did not include the special characters, but I did increase the length, as my helpdesk didn't like it when they had to spell out the password in a rare case where the user had to regain access to the laptop before being able to start up the VPN to sync up the reset password (no pre-login VPN available at the moment). The one thing I have not looked at yet, what if you have a GPO active for the old LAPS and then enable Windows LAPS, who will take priority? Anyone know? Or is it best that if I want to go that route that I do ensure the CSE is uninstalled and the GPO is gone?
From your experience how quickly does the rotated/new passwords sync to intune? would be nice to have the password reset after every logon but if it takes a while for the new password to go onto intune portal then could imagine how annoying it would be for the helpdesk
@@RR-lb2dt it should be minutes, if the machine is properly connected and Intune isn't taking its sweet time to replicate the information in the background. But note that you can't automatically reset after every logon. The automated rotation happens time based, you can set it to expire 1 hour after logon, but that's the closest you'll get to avoid abuse. If you want your users to be able to execute tasks as admin, start looking at something like EPM.
@intune training; great video as always 😊 the policy does not activate/enable the administrator account right?! As by default the administrator account is disabled, isn’t leaving the account disabled a better security solution. Isn’t just adding an (additional) local administrator from intune a simpeler solution?! Just looking for a best practice 😊
Best practice would indeed be to create a new account and add it to the local administrators group. There's a video from I.T on how to do that as well.
Great video guys! So it was not showing any password in the beginning because of the second setting you enabled in the settings catalog option? I understood: first step azure, second settings catalog with the two options and third the laps policy? 🙏
This is excellent, however Steve, your audio is hard to make out. Maybe if your audio could be recorded separately from the video call. I don't know if it's the compression or just your mic.
Hey gents as you stated you cannot run this together with On-premise LAPS, do you perhaps have a guide i can use to remove the current On-premise LAPS setup and only setup the Azure LAPS. Your assistance would be greatly appreciated.
Why would you want end users to be able to access the password? Then you might as well simply give them an account to play with like in the good old days. The goal is to have an account available in case of emergency. When things go wrong.
Thanks @@Hans-gb4mv, I am workign with a client now, they have a handfull of developers need the local admin password time to time. But fo Sec Ops and other compliances sake, he want to use the LAPS as a solution with these developer users access their local admin password on on-demand basis. Unless you suggest anyother best method to acheive this? Also a quick question - what is the best practice/method? 1. using the non-licensed user account for admin access? or 2. LAPS?
@@krishnap2k3 if compliance is key, I would look at a proper privilege management solution so that you can limit the applications that can be run in a privileged context and get logging on when they were executed that way. Microsoft released EPM some months ago which can accomplish this, but it is still missing one key component at this moment imho that they are working on, namely the option to request for an application to be executed to your support team. You can also find other solutions out there that work in a similar fashion if you want to have a look outside of Intune. None of those solutions are free, but if it is just a handful of people, Microsoft's EPM isn't that expensive. If it really must be something like LAPS and you don't want people to have admin access at random times, all the time then those people will have to contact someone in IT support every single time to get the latest LAPS password.
Assigning any policy to all devices is bad practice. Instead, you should have a dynamic group with all devices in it. However, I would assign my policies to user groups rather than device groups. There are scenarios with iPhone and Android where you want to use device groups, but this is a discussion for another time.
Very helpful - thank you
Great video, but was good to make a recap at the end to understand if that last "Enable local admin password management" policy is actually required :)
Thank you for the walk-through. As a previous poster said: Please don't edit your videos unless you really need to or the wait would be too long! The good stuff comes from you coursing through the level of working it out.
Also (and maybe this is already in your pipe) I think there would be value in adding a video where you explore the Org. messages feature in Intune. Albeit not that technically difficult it is a really nice feature (especially the Get Started app customization) that I completely missed up until the other day!
Keep on doing what you do - you do it very well!
Thank you for the clear steps guidance. It really helped.
You're wromg Steven, it was the April update that introduced Windows LAPS as far as I know.
I've enabled it a few weeks ago for my Windows 11 machines that we want to start rolling out in august on all our new machines, and that rollout will be the first step in ditching on-prem AD for our client devices. I wanted to go pure azure AD joined, but some internal constraints still require me to domain join those machines. Although they do end up in an OU where inheritance is disabled and just a handful of GPOs are linked back in.
I love the new Windows LAPS, finally an easy way to rotate the password and ensure it works, even if there is no line of sight to your domain controllers and an interface that is less complex and, I assume, more easy to audit.
For the complexity, I did not include the special characters, but I did increase the length, as my helpdesk didn't like it when they had to spell out the password in a rare case where the user had to regain access to the laptop before being able to start up the VPN to sync up the reset password (no pre-login VPN available at the moment).
The one thing I have not looked at yet, what if you have a GPO active for the old LAPS and then enable Windows LAPS, who will take priority? Anyone know? Or is it best that if I want to go that route that I do ensure the CSE is uninstalled and the GPO is gone?
From your experience how quickly does the rotated/new passwords sync to intune? would be nice to have the password reset after every logon but if it takes a while for the new password to go onto intune portal then could imagine how annoying it would be for the helpdesk
@@RR-lb2dt it should be minutes, if the machine is properly connected and Intune isn't taking its sweet time to replicate the information in the background.
But note that you can't automatically reset after every logon. The automated rotation happens time based, you can set it to expire 1 hour after logon, but that's the closest you'll get to avoid abuse.
If you want your users to be able to execute tasks as admin, start looking at something like EPM.
Windows LAPS is supported since the April Updates. It's been running really well so far.
Your instructional videos are amazing. Qq. When you created the Windows LAPs group, is this group a user specific or device specific?
Should be a device group.
I used a user group, and it worked for me.
@intune training; great video as always 😊 the policy does not activate/enable the administrator account right?!
As by default the administrator account is disabled, isn’t leaving the account disabled a better security solution. Isn’t just adding an (additional) local administrator from intune a simpeler solution?!
Just looking for a best practice 😊
Best practice would indeed be to create a new account and add it to the local administrators group. There's a video from I.T on how to do that as well.
Great lesson...
Never knew about .\NAME, I've always done localhost\
**The more you know**
Here's another top tip: you wanna ping localhost to see if your network stack is still functional? Ping 127.1
Great video guys! So it was not showing any password in the beginning because of the second setting you enabled in the settings catalog option? I understood: first step azure, second settings catalog with the two options and third the laps policy? 🙏
This is excellent, however Steve, your audio is hard to make out. Maybe if your audio could be recorded separately from the video call. I don't know if it's the compression or just your mic.
Plz don’t edit the videos. That’s the best learning time. Especially as I follow along in my lab 😊
it works from me, but i did enable the local admin account from Computer management! in this case is that correct?
Hey gents as you stated you cannot run this together with On-premise LAPS, do you perhaps have a guide i can use to remove the current On-premise LAPS setup and only setup the Azure LAPS. Your assistance would be greatly appreciated.
This is how we migrated in prod
learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-deployment-migration
Where in the policy do you set the username?
Can you set a specific password?
Is there anyway enduser can access his LAPS password from a portal? Or is it the Cloud LAPS with Enterprise App scenario?
Why would you want end users to be able to access the password? Then you might as well simply give them an account to play with like in the good old days. The goal is to have an account available in case of emergency. When things go wrong.
Thanks @@Hans-gb4mv, I am workign with a client now, they have a handfull of developers need the local admin password time to time. But fo Sec Ops and other compliances sake, he want to use the LAPS as a solution with these developer users access their local admin password on on-demand basis. Unless you suggest anyother best method to acheive this?
Also a quick question - what is the best practice/method? 1. using the non-licensed user account for admin access? or 2. LAPS?
@@krishnap2k3 if compliance is key, I would look at a proper privilege management solution so that you can limit the applications that can be run in a privileged context and get logging on when they were executed that way. Microsoft released EPM some months ago which can accomplish this, but it is still missing one key component at this moment imho that they are working on, namely the option to request for an application to be executed to your support team. You can also find other solutions out there that work in a similar fashion if you want to have a look outside of Intune. None of those solutions are free, but if it is just a handful of people, Microsoft's EPM isn't that expensive.
If it really must be something like LAPS and you don't want people to have admin access at random times, all the time then those people will have to contact someone in IT support every single time to get the latest LAPS password.
Why a windowslaps group and not assigned to all devices?
Assigning any policy to all devices is bad practice. Instead, you should have a dynamic group with all devices in it. However, I would assign my policies to user groups rather than device groups. There are scenarios with iPhone and Android where you want to use device groups, but this is a discussion for another time.
it would be good if intune can extend this to macOS too