Using Microsoft Intune for Local Administrator Password Management

AtilGurcanthanks for this blog post.

Everything is clear for me, how to enable Windows LAPS in Azure Active Directory and how to deploy with Intune to our Windows devices.

The only question we have now (also see this question in other blog posts) is what is the best practice with "cloud-only" Windows devices with the local administrator account.

Default when enrolling Windows devices with AutoPilot (out-of-the-box) the local administrator account is disabled.

Windows LAPS will not enable this account automatically, when this account is the target with the policy.

Windows LAPS will reset the password, but the local administrator account is still disabled, so you cannot use the account with the password.

We can think of 2 options:

• Enable the local administrator account, this is possible with the Settings Catalog.
• Create a new local administrator account, there's no built-in solution in Intune for this, some uses OMA-URI, other using custom Powershell scripts.

What is Microsoft best practice to create or enable a local administrator account from Intune, for Intune-only managed devices enrolled with AutoPilot?

• Or maybe is not having a enabled local administrator account more secure if not needed?
• For troubleshooting a "offline device" we maybe need a local administrator account, or repair a broken device.

Please give us some good advice for this, which scenario's is using a local administrator needed to be enabled (if now disabled):

• What is the best practice, a new account or using the existing built-in account?
• When creating a new account, what is the best practice to do this? (or maybe a new Intune policy for the future for creating local accounts?)

Thanks!