Repository contains PowerShell scripts to create local administrator accounts on Windows devices managed through Microsoft Intune. I've used them for Local Administrator Password Solution (LAPS) with Azure Active Directory (now Microsoft Entra ID).
The Local Administrator Password Solution (LAPS) provides centralized storage and automatic management of local administrator passwords on Windows devices. When integrated with Microsoft Entra ID and Microsoft Intune, LAPS ensures that passwords are strong, unique, and periodically changed, adhering to organizational policies and compliance requirements.
Fix_AdminAccountSetup.ps1: Script creates a local administrator account on a Windows device. It is intended to be used as a remediation script within Intune to ensure compliance with organizational policies.Detect_AdminAccountSetup.ps1: Script checks for the existence of the local administrator account and verifies its membership in the Administrators group. It is used to detect the current state of the device and report compliance.
- Devices must be Azure AD-joined and managed by Microsoft Intune.
- Appropriate permissions in Azure AD and Intune to create and assign policies.
To enable LAPS in Azure AD, follow these steps:
- Navigate to Azure Active Directory > Devices > Device settings.
- Under Local administrator settings (preview), select Yes for "Enable Azure AD Local Administrator Password Solution (LAPS)".
- Click Save.
For more detailed instructions, refer to the official documentation.
Intune supports the management of Windows LAPS through configuration service provider (CSP). To set up LAPS policies in Intune:
- Create a configuration profile with the Windows LAPS CSP settings.
- Define password requirements such as complexity, length, and rotation schedule.
For a comprehensive guide, visit Implement LAPS with Intune - A Comprehensive Guide.
- In the Microsoft Endpoint Manager admin center, navigate to the "Devices" section.
- Under "Devices," go to "Remediations" (previously known as Proactive Remediations).
- Click on "Create script package" to start the process.
- For the detection script, upload
Detect_AdminAccountSetup.ps1. It will verify custom admin account and membershiop in Administrators group. - For the remediation script, upload
Fix_AdminAccountSetup.ps1. Creates a user and adds it as an admin.
- For the detection script, upload
- Assign the script package to the relevant group of devices.
- Schedule the detection and remediation scripts to run at the desired frequency. The detection script should be scheduled to run before the remediation script.
- Monitor the script execution and results in the "Remediations" section to ensure the custom admin account is set up correctly.
For more detailed guidance, you can refer to the following resources:
- Remediations | Microsoft Learn
- Proactive Remediations 101 - Intune's hidden secret!
- How to Configure Proactive Remediations in Microsoft Intune
NOTE: Above steps are a general guide and may vary slightly based on the current Intune interface and features. Always refer to the latest documentation for the most accurate and up-to-date information.
Feedback and contributions are welcome. Please submit issues and pull requests to the repository as needed.
- Original concept and code snippets adapted from Nicolonsky Tech.
- LAPS documentation and guidance provided by Microsoft.