Hello Everyone!!! In this post, let’s learn the Installation of LAPS Using Intune. In this Intune application deployment guide, we will help you with Microsoft LAPS deployment and uploading an MSI in Intune Admin center.
From the April patch Tuesday, Microsoft LAPS is part of the Windows operating system, and you no longer have to install LAPS. MSI Local Administrator Password Solution (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.
LAPS simplifies password management and provides recommendations for preventing cyberattacks. Specifically, the solution reduces the risk of lateral escalation when customers use the same administrative local account and password on multiple computers.
Microsoft LAPS can be deployed using various methods, The solution is built on Active Directory infrastructure and does not require other supporting technologies. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
Microsoft going to be natively moving LAPS into the operating system in future releases, so there will no longer be a need to install a separate MSI package. Moving into the operating system has a lot of advantages it normalizes the patching capability from the Windows update channel.
Assignment of LAPS Using Intune
Follow the steps below to upload the MSI file for deploying LAPS using Intune. To start with the Intune line-of-business app package creation, keep the downloaded LAPS.x64.msi setup installation file in the appropriate location.
One can easily download the 64-bit application directly from LAPS. There are multiple files available for this download. Once you click the “Download” button, you will be prompted to select the files you need and choose the MSI setup for the Windows 64-bit architecture.
- Sign in to the Microsoft Intune admin center https://endpoint.microsoft.com/
- Here you have two options to jump into the Application creation. Select Apps > All apps > Add, or you can navigate to Apps > Windows > Windows Apps.
In the Select app type pane, under the Other app types, select Line-of-business app and click Select.
Now in the Add app pane, click Select app package file. Select the browse button. Then, select the downloaded application MSI file. Once you select the app file, The app details appear with Name, Platform, Size, and context. When you’re finished, select OK on the App package file pane.
Enter the Name of the App (For Example – LAPS), and Enter the description of the app. Enter the Publisher name – Microsoft and Command-line arguments – Optionally, enter any command-line arguments you want to apply to the .msi file when it runs.
- App install context – Select App install context as Device. This specifies the install context to be associated with this app. For dual-mode apps, select the desired context for this app. For all other apps, this is pre-selected based on the package and cannot be modified.
- Ignore app version – Select Yes for apps that are automatically updated by the app developer (such as Google Chrome, Zoom).
Also, Upload an icon for the app. When users browse the company portal, this icon is displayed with the app. In this section, you can provide additional information about the application and click Next.
Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the application. Click on Next.
Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups to which you want to deploy LAPS, Click Next to continue.
During the application creation process, you will see the details you provided. You can add the app to Intune by reviewing your settings and selecting Create.
You will see the status Uploading is in progress – When will it be completed? The speed of the internet connection and the size of the application determine how long it takes.
We recommend waiting a while for the upload process to complete, and you can check the progress by clicking on the Notifications icon. You will receive the status “Upload finished” once the package has been uploaded and finished.
Monitor LAPS Deployment from Intune Portal
Where is the folder where Intune downloads the applications before it installs on a Windows device? Intune cache folder location, how to find out cache folder location. Check more details Cache Folder Windows 10 MDM Agent LOB Applications.
During the installation of an application, select the application, then select Monitor, where you can check the device and user check-in status. You can view additional details by clicking on the Device install status or User install status links.
End User Experience
Now to check whether the application is assigned to the targeted device successfully or not, we need to log in to that machine. After doing so, we need to open the Company Portal and check. As you see below in the image, it’s showing there.
So the above picture clearly depicts that the LAPS application creation and assignment using Intune is successful. Also, the LAPS is successfully installed on the machine on which we assigned it.
Author
Abhinav Rana is working as an SCCM Admin. He loves to help the community by sharing his knowledge. He is a B.Tech graduate in Information Technology.
Does this work with aad or does the computer still need onsite ad access?
Great instructions, very helpful. I would like to know if you have additional information on if there has been any traction on the roll out and support from Microsoft.