Automatic account creation with Windows LAPS is finally here! Announced in the Windows 11 Insider Preview Build 26040 (Canary Channel) release notes, admins can now configure LAPS policies to automatically create and manage a local admin account without needing it to be present on the workstation prior!
This post will show you how to enable automatic account creation for Windows LAPS using Microsoft Intune.
Windows LAPS automatic account creation
The ability to automatically create an account directly within the Windows LAPS configuration settings has been a log-needed feature since LAPS was released. It has been a constant struggle for administrators to create local admin accounts securely and consistently. Where previously we have resorted to utilising our RMM, MDM and PowerShell scripts to create users, now Microsoft have blessed us with this feature out-of-the-box!
Prerequisites
If you haven’t already, you must have Windows LAPS deployed in your environment. If you haven’t got that far yet, check out my post: How to Setup Windows LAPS Step by Step.
Alternatively, if you want to quickly deploy the required settings without having to go clicking through the Admin portal, see my post: Configure LAPS in Intune using Microsoft Graph PowerShell for a single script to do it all for you!
Create Windows LAPS configuration profile for automatic account creation
The new LAPS configuration settings are now available to configure using custom CSP settings in a Configuration profile. Follow the below steps to configure automatic account creation: (they are not yet available using the Settings Catalogue or templates).
- From the Intune admin portal, select Devices > Configuration profiles > Create > New policy.
2. Choose the platform as Windows 10 and later, set the profile type as Templates, then select Custom and click Create.
3. Add the following OMA-URI settings:
- ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
- Type: Bool
- Value: True
- Description: Use this setting to enable or disable the automatically managed account.
- ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
- Type: Bool
- Value: True
- Description: Use this setting to enable automatic account management.
- ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
- Type: String
- Value: ShortPrefix-
- Description: Use this setting to specify the name or the name prefix of the automatically managed account.
- ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
- Type: Bool
- Value: True
- Description: Use this setting to enable randomization of the name of the automatically managed account.
- ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
- Type: Int
- Value: 0,1
- Description: Use this setting to specify whether the built-in Administrator account is automatically managed, or a new custom account.
- ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
- Type: Int
- Value: 1,2,3,4,5,6,7,8
- Description: Use this setting to configure the required password complexity of the managed local administrator account, or to specify that a passphrase is created.
- Reference: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings#passwordcomplexity
4. Now simply continue through the configuration profile wizard and assign the policy to any device groups (or all devices).
Impact to the end device
When the device next syncs to Intune, the CSP settings will apply and the registry will automatically update (this will NOT require a reboot, it will be seamless).
The account will immediately be enabled for use and added to the local administrators group, with the description: This account is currently being automatically managed by your corporate administrator.
Obtain the Windows LAPS username and password from Intune
To obtain the username and password from Microsoft Intune, you can use the Intune portal the same way it was before.
2. Select Devices > All Devices, then click on your device.
3. Under Monitor, select Local admin password, then Show local administrator password and Show.
What happens when you reset the automatic LAPS account?
When you reset the laps password for a device from Intune (or otherwise), both the LAPS account USERNAME and PASSWORD will be changed. However, the SID for the account will remain the same.
and what admin account name you configure to LAPS policy, just “ShortPrefix-” ?
Yes, just configure a short prefix and let the rest be created automatically!
I would like to emphazise the fact thats currently only available in the Windows 11 Insider Preview Built. Hopefully it´s coming for the Production Built´s soon.
In the list you have this as Integer, but in the screenshot it is Boolean, which should it be?
Have tried applying these settings but they are failing to apply to my device, however its not on an Insider Preview build, is that why, or is it because I have this setting as an Integer?
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
Type: Int
Hi Graham,
I had to correct this, the right answer is Int!
It will only apply for the insider preview build currently.
Kind regards
Dan