Event banner
Event details
41 Comments
- Is there any scenario where it would make sense to target the LAPS policy to a user group, instead of a device group?
- JaySimmons
Microsoft
Hi Baard - I honestly cannot think of one - LAPS is device specific, period. If anyone else has a scenario that might need this, would love to hear it.
- I think it is important when discussing LAPS, to also mention the (in my opinion better) alternative to LAPS, NO enabled generic local administrator account. We disable the default local administrator account using Autopilot and try to ensure Intune performs all administrative actions. For rare exceptions, we add an Entra group of local administrator accounts to PCs that have been renamed to signify they are no longer only managed by Intune. Before elevating on one of these PCs, our admins must request temporary membership to the local admin Entra group using Identity Governance. To complete the loop, whatever it was the admin did should be reviewed to determine if it can be eliminated or added to Intune. The PC is wiped to return it to its default state.
- JaySimmons
Good description Nathan - no complaints from me regarding your solution as described.
I will just point out that any administrator access solution that requires the device to be communicating with the cloud, is by definition at risk of failure when such cloud communication fails. Using a LAPS-managed local admin account is the "least common denominator" option in this space - you can't really get much lower in the dependency stack so there is just that much less that can go wrong.
Playing devil's advocate to my own response above: I have heard other customers say that if the device is in that bad of a condition, then they find it better to just flatten and re-image it, in other words, they prefer to just start over from scratch. Anyway, at least having both solutions gives customers the luxury of a choice. 🙂
- MichaelHildebrandI joined late - apologies if this was covered - for cloud use, there is a single setting 'pre-req' to enable LAPS in Entra (in addition to the Intune policies for the Windows endpoints) - https://learn.microsoft.com/en-us/entra/identity/devices/howto-manage-local-admin-passwords#enabling-windows-laps-with-microsoft-entra-id
- LauraArrizzaYes, this can be toggled "on" via the Azure AD Devices menu, select Device settings, and then select Yes for the LAPS setting and click Save. From there, you can continue to configure your LAPS policy settings.
- Thanks guys!!
Thanks for joining us! We hope you enjoyed this session. If you missed the live broadcast, don’t worry – you can watch it on demand. And we’ll continue to answer questions here in the chat through the end of the week. There's more great content in store at the Microsoft Technical Takeoff! What do you like about the event so far? Share your feedback and help shape the direction of future events on the Tech Community!
- Do you know if the LAPS Intune policy will apply successfully to Windows 10 multisession OS? We often see issues with policies using templates, not settings catalog
- LauraArrizzaYes, I believe we support Windows 10 multisession endpoints.
- You stated that EPM follows the same policy flow as normal policies. Does that mean that when you approve an elevation the endpoint must sync with Intune in order to get the permission to run elevated? If the client normally syncs every 8 hours, will that mean we need to tell our end users to manually kick off a sync? Under normal conditions there is a 15 minute "cool down" period where a device won't actually sync if it completed a sync within the last 15 minutes. How does that cool down period impact the elevation?
- Matt_CallHey Terry! We don't expect it will for a myriad of reasons. We will confirm this and add any notes and limitations to our documentation online if for some reason it does.
- Thanks Matt. We're actually planning to do a POC of EPM in mid- to late-January '24 and I'm hoping to have the docs you referenced above so we can get the most out of our POC.
- Also having run as administrator and run with elevated access in the context menu is confusing. Any plans to change that?
- Matt_CallHey Paul! Thanks for the feedback. We understand the two different menus are confusing. We are formulating a plan to hopefully remove some of that confusion. More to come in the future.
- Do we need to have LAPS set up in order to have Support Approved available? Thank you
- Matt_CallHey Murlio! No LAPS and Support Approved are two different things, sorry if we created any confusion.
- Thank you for your reply
- Is there a built-in bare minimum permissions for users to retrieve the LAPS password from Intune?
- LauraArrizza
To retrieve the LAPS password for a given device via the Intune portal or Entra portal, an admin needs to have specific permissions that allow this. You must have one of the following Microsoft Entra permissions:
- microsoft.directory/deviceLocalCredentials/password/read to read LAPS metadata and passwords.
- microsoft.directory/deviceLocalCredentials/standard/read to read LAPS metadata excluding passwords.
More details here: https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview#role-based-access-controls-for-laps
