Microsoft
Microsoft
MicrosoftDeleted ,
>>since ADPasswordEncryptionPrincipal is missing in Endpoint security > account security policy,
>>do I assume correctly this one needs to be added via custom CSP policies and this AD (Entra AD synced) group need the correct permissions?
If you are trying to backup passwords to the cloud (Entra), then the answer is no. There are multiple on-premises AD-specific settings provided which are only applicable when backing passwords up to on-premises AD. When you are backing passwords to Entra (via the Backup Directory setting in Intune), these settings are hidden from you. So if I am understanding your question correctly, this is expected behavior. Note that password retrieval authorization is managed differently (via RBAC, etc) when passwords are backed up to Entra. Also there is no way to store a non-encrypted password to Entra - the data is always protected.
>>I do not see the password in devices > deviceid > local admin password. Have not checked Eventlog yet.
Please also make sure you have enabled Windows LAPS in your tenant's Devices configuration blade. This is a one-time, additional directory preparation step that is required when backing passwords up to Entra. You can find the instructions here:
Enabling Windows LAPS with Microsoft Entra ID
Make sure that is enabled, then wait an hour to see if the device(s) are now able to successfully update their passwords to Entra.
If it is still not working at that point, please run the Get-LapsDiagnostics cmdlet on one of the afflicted devices and PM me the resultant zip file.
Thx,
Jay