- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
The Local Administrator Password Solution (LAPS) is a Microsoft tool for managing local account passwords on Windows servers and clients. For more information please read our LAPS series.
When working with LAPS, it is important to know if it is actually working and really applies the password changes. Note that LAPS only logs failures to the local event log.
Things we need to monitor:
- Installation of the LAPS client-side extension .MSI
- Applying the Group Policy settings
- Changing the local account's password within the timeframe configured
Creating a configuration item to check LAPS health ^
We start with creating a new configuration item in the Configuration Manager console and call it "LAPS Health." You also have to select the options highlighted below.
New configuration item
In the next dialog, we choose how to detect whether LAPS is in fact installed. Browse to the .MSI file and import the product code. (I only have x64 OSes in my environment. If your network has 32-bit Windows systems, you need one of the other two options. This is because the Windows Installer product code is not the same for the x86 and x64 clients.)
LAPS detection
Now that we know the application is installed, we can add settings we want to evaluate. We will work with a registry check and a PowerShell script. First, we will evaluate existence of the registry keys that the Group Policy Object (GPO) wrote. In the dialog window, click New.
Checking if GPO settings are present
Give the setting a name, and then select Browse. You don't need to fill in any more information, as the tool will add it when you browse to a computer with the Group Policy applied.
