On Configuration settings, Configure a choice for Backup Directory to define the type of Directory to use to back up the local admin account. This setting is optional but recommended. Description: Enter a description for the profile.Name profiles so you can easily identify them later. Name: Enter a descriptive name for the profile.On Basics, enter the following properties: Set the Platform to Windows 10 and later, Profile to Local admin password solution (Windows LAPS) (preview), and then select Create. Sign in to the Microsoft Intune admin center and go to Endpoint security > Account protection, and then select Create Policy. See Role based access controls for LAPS.īefore you create a policy, you can review details about the available settings in the Windows LAPS CSP documentation. To use custom roles, ensure the custom role includes the rights from the Security baselines category. By default, these permissions are included in the built-in role Endpoint Security Manager. To create or manage LAPS policy, your account must have applicable rights from the Security baseline category. Create a LAPS policyĮnsure that you have enabled LAPS in Azure AD, as covered in the Enabling WindowsLAPS with Azure AD documentation. Frequently changing policies can introduce conflicts, a lack of device compliance with requirements, and create confusion around which local admin account from a device is currently being managed. While LAPS policy supports user group assignments, they can result in a cycle of changing LAPS configurations each time a different user signs-in to a device. To help reduce potential conflicts, we recommend assigning a single LAPS policy to each device through device groups, and not through user groups. Conflicts can also prevent the backup of the managed local admin account and password to your tenants Directory. Devices that receive multiple Intune policies that include conflicting settings can fail to process policy. The Windows LAPS CSP supports a single configuration for each LAPS setting on a device. Instead, they manage an account that’s already on the device.Ĭonfigure and assign LAPS policies carefully. ![]() Intune’s LAPS policies do not create new accounts or passwords. However, when Administrator Account Name is left blank, the policy defaults to the devices built-in local admin account that is identified by its well-known relative identifier (RID).Įnsure the prerequisites for Intune to support Windows LAPS in your tenant are met before creating policies. If the account name specified in the policy isn’t present on the device, no account is managed. Intune policy can specify which local admin account it applies to by use of the policy setting Administrator Account Name. Windows LAPS allows for the management of a single local administrator account per device. ![]() Windows LAPS CSP configurations take precedence over, and overwrite, any existing configurations from other LAPS sources, like GPOs or the Legacy Microsoft LAPS tool. Intune policies manage LAPS by using the Windows LAPS configuration service provider (CSP). Intune’s provides support to configure Windows LAPS on devices through the Local admin password solution (Windows LAPS) (preview) profile, available through endpoint security policies for account protection. Frequently asked questions that can provide insight to configuring and using Intune LAPS policy.The role-based admin control (RBAC) permissions your account needs to have to manage LAPS policy. ![]()
0 Comments
Leave a Reply. |