Forum Discussion

guymarshall's avatar
guymarshall
Copper Contributor
Jul 04, 2023

Intune LAPS password

I've followed the guide for using Intune to deploy LAPS on Azure AD enrolled devices. The passwords show on the portal for each device, but they don't seem to work when attempting to "run as admin" on any device.

 

Initially I used the default Administrator name, but changed this on reading some posts which suggested it might cause a conflict. The new admin name has reflected in the Registry Editor on the local devices. However, the LAPS passwords still do not work.

 

For one machine, I tried rotating the password, but it has been stuck at pending for a week. Other Intune activities (e.g. running Device Diagnostic) work as expected, but the LAPS passwords still don't work on any device.

 

I looked in the device Event Viewer > Applications and Services > Microsoft > Windows > LAPS > Operational, and noticed there are Error 10013 "LAPS failed to find the currently configured local administrator account". I am unsure from https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance#event-id-10013 how to actually resolve this. The only admin account showing in cmd > "net user" is WDAGUtilityAccount (i.e. not even the user account which enrolled the device, which is also an admin by default). Should I manually create a new admin account with the name as LAPS expects to find?

 

Any ideas?

 

Thanks in advance, Guy

 

Intune
mobile device management (mdm)

3 Replies

  • tschlappinger's avatar
    tschlappinger
    Brass Contributor
    Jul 10, 2023
    You could use a remediation script to check if the "admin" user is present on the machine and if it is not, then the script creates the user.

    The detection script detects whether the Windows LAPS user already exists, and the remediation script creates the user and adds it to the Local Administrators group.

    This is a German article, but the procedure is still recognizable as well.
    https://www.m365simple.de/posts/intune_laps_remediation/


  • Thiruvalluvar's avatar
    Thiruvalluvar
    Copper Contributor
    Jul 06, 2023
    am not sure why " net user " didn't have any other Accounts but for LAPS to work we should mention a local admin account present in Machine, if the Account you mentioned in the LAPS configuration is not present in the system the error you getting is expected.

    you can create a local account using Configuration Profile...

    https://cloudinfra.net/how-to-create-a-local-admin-account-using-intune/

Resources