Event banner

Uplevel security with Endpoint Privilege Management + Windows LAPS

Event Ended
Tuesday, Nov 28, 2023, 07:00 AM PST
Online

Event details

It's simple. Running devices as standard user can help lower your attack surface. Let's talk about the threats we face today, the keys to implementing "just enough" access for your users with Microso...
Char_Cheesman
Updated Dec 27, 2024
Technical Takeoff
treestryder's avatar
treestryder
Iron Contributor
Nov 28, 2023
I think it is important when discussing LAPS, to also mention the (in my opinion better) alternative to LAPS, NO enabled generic local administrator account. We disable the default local administrator account using Autopilot and try to ensure Intune performs all administrative actions. For rare exceptions, we add an Entra group of local administrator accounts to PCs that have been renamed to signify they are no longer only managed by Intune. Before elevating on one of these PCs, our admins must request temporary membership to the local admin Entra group using Identity Governance. To complete the loop, whatever it was the admin did should be reviewed to determine if it can be eliminated or added to Intune. The PC is wiped to return it to its default state.
JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Nov 30, 2023

Good description Nathan - no complaints from me regarding your solution as described.

 

I will just point out that any administrator access solution that requires the device to be communicating with the cloud, is by definition at risk of failure when such cloud communication fails. Using a LAPS-managed local admin account is the "least common denominator" option in this space - you can't really get much lower in the dependency stack so there is just that much less that can go wrong.

 

Playing devil's advocate to my own response above: I have heard other customers say that if the device is in that bad of a condition, then they find it better to just flatten and re-image it, in other words, they prefer to just start over from scratch. Anyway, at least having both solutions gives customers the luxury of a choice. 🙂

Date and Time
Nov 28, 20237:00 AM - 7:30 AM PST