How to Enable Automatic Account Creation for LAPS in Intune

Automatic account creation with Windows LAPS is finally here! Announced in the Windows 11 Insider Preview Build 26040 (Canary Channel) release notes, admins can now configure LAPS policies to automatically create and manage a local admin account without needing it to be present on the workstation prior!

This post will show you how to enable automatic account creation for Windows LAPS using Microsoft Intune.

Windows LAPS automatic account creation

The ability to automatically create an account directly within the Windows LAPS configuration settings has been a log-needed feature since LAPS was released. It has been a constant struggle for administrators to create local admin accounts securely and consistently. Where previously we have resorted to utilising our RMM, MDM and PowerShell scripts to create users, now Microsoft have blessed us with this feature out-of-the-box!

Prerequisites

If you haven’t already, you must have Windows LAPS deployed in your environment. If you haven’t got that far yet, check out my post: How to Setup Windows LAPS Step by Step.

Alternatively, if you want to quickly deploy the required settings without having to go clicking through the Admin portal, see my post: Configure LAPS in Intune using Microsoft Graph PowerShell for a single script to do it all for you!

Create Windows LAPS configuration profile for automatic account creation

The new LAPS configuration settings are now available to configure using custom CSP settings in a Configuration profile. Follow the below steps to configure automatic account creation: (they are not yet available using the Settings Catalogue or templates).

  1. From the Intune admin portal, select Devices > Configuration profiles > Create > New policy.

2. Choose the platform as Windows 10 and later, set the profile type as Templates, then select Custom and click Create.

3. Add the following OMA-URI settings:

  • ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
    • Type: Bool
    • Value: True
    • Description: Use this setting to enable or disable the automatically managed account.
  • ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
    • Type: Bool
    • Value: True
    • Description: Use this setting to enable automatic account management.
  • ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
    • Type: String
    • Value: ShortPrefix-
    • Description: Use this setting to specify the name or the name prefix of the automatically managed account.
  • ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
    • Type: Bool
    • Value: True
    • Description: Use this setting to enable randomization of the name of the automatically managed account.
  • ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
    • Type: Int
    • Value: 0,1
    • Description: Use this setting to specify whether the built-in Administrator account is automatically managed, or a new custom account.
  • ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
LAPS CSP settings
LAPS CSP settings

4. Now simply continue through the configuration profile wizard and assign the policy to any device groups (or all devices).

Impact to the end device

When the device next syncs to Intune, the CSP settings will apply and the registry will automatically update (this will NOT require a reboot, it will be seamless).

Windows LAPs registry settings
Windows LAPs registry settings

The account will immediately be enabled for use and added to the local administrators group, with the description: This account is currently being automatically managed by your corporate administrator.

Obtain the Windows LAPS username and password from Intune

To obtain the username and password from Microsoft Intune, you can use the Intune portal the same way it was before. 

1. Log in to https://intune.microsoft.com/

2. Select Devices > All Devices, then click on your device.

3. Under Monitor, select Local admin password, then Show local administrator password and Show.

Show local admin password
Show local admin password

What happens when you reset the automatic LAPS account?

When you reset the laps password for a device from Intune (or otherwise), both the LAPS account USERNAME and PASSWORD will be changed. However, the SID for the account will remain the same.

Before resetting the LAPS password

Before reset
Before reset

After resetting the LAPS password

After reset
After reset

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 5 Comments

  1. janne

    and what admin account name you configure to LAPS policy, just “ShortPrefix-” ?

    1. Daniel Bradley

      Yes, just configure a short prefix and let the rest be created automatically!

  2. Chris

    I would like to emphazise the fact thats currently only available in the Windows 11 Insider Preview Built. Hopefully it´s coming for the Production Built´s soon.

  3. Graham

    In the list you have this as Integer, but in the screenshot it is Boolean, which should it be?
    Have tried applying these settings but they are failing to apply to my device, however its not on an Insider Preview build, is that why, or is it because I have this setting as an Integer?

    ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
    Type: Int

    1. Daniel Bradley

      Hi Graham,

      I had to correct this, the right answer is Int!

      It will only apply for the insider preview build currently.

      Kind regards
      Dan

Leave a Reply