This post explains how to verify whether LAPS is installed and working properly using configuration items and baselines in Configuration Manager. If LAPS cannot change the password, or if it is uninstalled, alerts will appear in the Configuration Manager console.

The Local Administrator Password Solution (LAPS) is a Microsoft tool for managing local account passwords on Windows servers and clients. For more information please read our LAPS series.

When working with LAPS, it is important to know if it is actually working and really applies the password changes. Note that LAPS only logs failures to the local event log.

Things we need to monitor:

  • Installation of the LAPS client-side extension .MSI
  • Applying the Group Policy settings
  • Changing the local account's password within the timeframe configured

Creating a configuration item to check LAPS health ^

We start with creating a new configuration item in the Configuration Manager console and call it "LAPS Health." You also have to select the options highlighted below.

New configuration item

New configuration item

In the next dialog, we choose how to detect whether LAPS is in fact installed. Browse to the .MSI file and import the product code. (I only have x64 OSes in my environment. If your network has 32-bit Windows systems, you need one of the other two options. This is because the Windows Installer product code is not the same for the x86 and x64 clients.)

LAPS detection

LAPS detection

Now that we know the application is installed, we can add settings we want to evaluate. We will work with a registry check and a PowerShell script. First, we will evaluate existence of the registry keys that the Group Policy Object (GPO) wrote. In the dialog window, click New.

Checking if GPO settings are present

Checking if GPO settings are present

Give the setting a name, and then select Browse. You don't need to fill in any more information, as the tool will add it when you browse to a computer with the Group Policy applied.