I was recently part of a discussion about creating a custom user to manage with Windows LAPS with Microsoft Intune without using Remediations due to licensing constraints (Business Premium). And the solution I came up with is what I want to show you here.

Problem

Windows LAPS is a easy solution to manage a single local Windows account password. But it lacks the ability to create the user if it not exists.

Remediations in Microsoft Intune are the perfect tool to create a user account if it not exists because they are repeatedly checking for a wanted status on a device and repair/remediate it if it is not present. I use it myself and published an Intune version of my script I used in Configuration Manager with Configuration Baselines to the EndpointAnalyticsRemediationScripts GitHub repo.

But the use of Remediations is limited to Enterprise customers and how can non Enterprise customers handle this?

Solution

The solution I came up with was packaging the new-LAPSUser.ps1 as a Win32App and use the detect-LAPSUser.ps1 as detection method for it.

Sounds simple? Yes but there are some caveats like running the script in the 32-bit PowerShell Host.

What the scripts are doing

Both scripts are checking if an AdministratorAccountName is set via the CSP and if a Backup Directory is configured and if Windows LAPS is present on the system.

The detect-LAPSUser.ps1 also checks if a local account with the configured AdministratorAccountName is present.

The new-LAPSUser.ps1 creates a user account with the AdministratorAccountName with a random password.

Package the script

1. Put the new-LAPSUser.ps1 script in an empty folder.
2. Download and execute the Microsoft Win32 Content Prep Tool
3. Use the folder from step 1. as source folder
4. The setup file is new-LAPSUser.ps1
5. Choose a path were the .intunewin file will be saved

Create the application

1. In Intune open Apps - Windows - Create new application and choose Windows app (Win32)
2. Upload the .intunewin created in the last step
3. Fill out at least Name, Description and Publisher and press Next
4. The install command uses the sysnative folder to run the script in the 64-bit PowerShell: c:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file .\new-LAPSUser.ps1
5. Uninstall command: cmd /c exit 0 (currently not included)
6. Allow available uninstall: No
7. Install behavior: System
8. Device restart behavior: No specific action
9. Next
10. OS architecture: 64-bit
11. Minimum OS: Windows 10 20H2 (oldest version supported by Windows LAPS)
12. Add+ additional requirement rule
13. Type: Registry
14. Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\LAPS
15. Value name: AdministratorAccountName
16. Registry key requirement: Value exists then OK
17. Next
18. Choose Detection script and use the following script (added a line with Write-Output to signal the detection)

Bring it all together

Now you only have to assign the application and a LAPS configuration containing an AdministratorAccountName to the devices and an user with the configured name should be created for LAPS to take over.

The Flow

1. The device checks in with Intune and recognizes the app deployment
2. The Intune Management Extension runs the detection script to check if the application is installed. It therefore checks if a user account is necessary and if it is already present.
3. If the user is configured but does not exist the requirement rule (AdministratorAccountName is configured by Intune LAPS profile) is checked. The installation will be started if the requirements are met and will create the account.
4. The detection is script runs again and discovers the user and therefore the application.
5. If the AdministratorAccountName is changed the application re-evaluation will detect the app as not installed and it will retry the installation and this will create a new local account.