Forum Discussion
LAPS Creation using Intune
Hi All
I am trying to get Intune to create a Local Admin Account and I am using the method of adding
- ppel123Copper Contributor
Hi, although I would suggest using LAPS (you could check this guide too), you could try to use the following command as already mentioned to add the user to local admins.
Add-LocalGroupMember -Group Administrators -Member apexadmin
The way to go here is to either use a platform script to just create the local admin, or better a detection-remediation to check its existence and create it if not exists.
Check the below post to get an idea of how you could utilize it (it doesn't describe exactly what you are trying to achieve but could give you some guidance). If you need any help with the scripts, let me know.
- micheleariisSteel ContributorI confirm that Laps is an excellent feature now fully integrated and easy to configure on Intune
- micheleariisSteel ContributorHi, it should be enough to add another configuration like the one below:
Name: Add user to Local administrator group
OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/apexadmin/LocalUserGroup
Data type: Integer
Value: 2- Rob_LamBrass Contributoryes but it doesn't.
It works on 1-2 machines but the rest just fails to add local admin group- micheleariisSteel ContributorIf you create a script in powershell with the command below and deploy it via intune?
Add-LocalGroupMember -Group Administrators -Member apexadmin
Otherwise, if you have the licenses, you could use account-protection-policies
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy
- Ankur_BIron ContributorAre you creating Local Admin Account for Entra Joined or Hybrid Entra Joined Devices?
- Rob_LamBrass ContributorEntra Join.
We don't have active directory
- fbatunsBrass Contributor
Rob_Lam i there a reason of setting up LAPS with OMA-URI Settings? Intune integrated LAPS-Configuration in the Endpoint-Security Menu (Account Protection). We use it with Entra-ID-Joined and Hybrid Joined devices, this works very well and was straight forward.
Just make sure, the Endpoints are on the latest Versions of Windows 10 and 11 because LAPS was not natively integrated in Windows 10/11 before April 2023.
Also: Sometimes I had the issue that i was not able to see the LAPS-Password in Intune but in the Entra-ID-Device Portal, but not sure if thats still the case.
- Rob_LamBrass ContributorHi
No there isn't any reason.
The reason behind it was that the script didn't work so I tried OMA-URI settings.
In both scenarios they both create the apexadmin account but does not add it to local admin group
All our machines are running Windows 11 23H2.- ppel123Copper Contributor
I find it weird that the user is not being added to the local admin group.
What I would do is build a troubleshooting mechanism to understand at which point it fails.
First of all if you run the script that creates the user and add it to the local admin group locally on a local machine or on demand on a test machine, does it work?If yes then add some logging to your script:
Start-Transcript -Path "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\LocalAdminScriptLogs.txt" -Append -ErrorAction Stop try{ # you code goes here with write hosts to depict the code flow into the log file # add -ErrorAction stop to throw errors to the catch clause } catch{ # depict the error to the log file Write-Error "An error occurred during detection: $_" } finally{ Stop-Transcript }
Then you could collect the logs following this guide.