Maybe you are a service provider and find yourself deploying the same configurations over and over again manually. It can be time-consuming and prone to error, especially if the tasks are mundane. The solution is to utilise PowerShell scripting to deploy your configurations for you. A well-written PowerShell script can review and deploy configurations in a fraction of the time it takes to deploy them manually using the equivalent web portals.
In this post I will demonstrate a script I have written to automatically deploy Windows LAPS configurations in Intune with Microsoft Graph PowerShell.
If you haven’t already seen my post detailing how to configure Windows LAPS using Intune manually, check out that post now as it will add perspective to what this post is all about.
Requirements
The script utilises the Microsoft Graph PowerShell SDK to interact with Microsoft Intune. You must ensure you have the Microsoft.Graph.Authentication module installed.
Check out my post on How to Install The Microsoft Graph PowerShell modules. Or allow the script to find and deploy the module itself.
You will also need to log in with a Global Administrator account to run the script as you will need to consent to the required Graph API permissions.
Configure Windows LAPS in Intune with Microsoft Graph PowerShell
Access the deployment script from my GitHub: Create-LAPS.ps1. Note: This script will not assign any users/devices to these policies, that must be done manually.
Start by downloading the deployment script and modifying the $accountname variable. This will define the LAPS user to be created and used throughout the script.
The script will process tasks in the following order:
2. Connect to Microsoft Graph and prompt to consent to the following scopes: Policy.ReadWrite.DeviceConfiguration, DeviceManagementConfiguration.ReadWrite.All.
3. Check if Microsoft Entra LAPS is enabled within the tenant and enable it if not.
4. Create a LAPS account protection policy with the following settings:
Policy Name : Windows LAPS
Backup location : Microsoft Entra
Password age : 7 days
Password length : Not configured (default 14 days)
Account name : $accountname
Complexity level : 4
Post authentication action : Reset password
Post authentication delay : 1 hour
5. Create a remediation package to upload a pre-set script to create the LAPS user account with the defined username. (This utilises the scripts found in my blog: How to create a local admin account on Windows devices with Intune).
6. Disconnect from Microsoft Graph
Once run, the script will work through the tasks in seconds and output like the following:
Wrapping up
This script aims to speed up the deployment of resources in Intune, not necessarily to help you migrate to Windows LAPS. You must still carefully plan your deployment with the customer to cover items such as custom roles, permissions, ownership, and support, whether you are implementing for the first time or migrating from on-premise LAPS.