Windows LAPS user via Remediations

This blog is about creating the Windows LAPS user via (Proactive) Remediations. The user that you want to manage via Windows LAPS is not created automatically. This blog and script help you do that.

Prerequisites

You have already configured the Windows LAPS policy. This is an example by Joost Gelijsteen.

Proper licensing

The scripts

The remediation consists of 2 scripts. The detect script and the remediation script. I assume that you are familiar with the Remediations concept. If you aren’t please check this blog I wrote:

The detect script detects whether the Windows LAPS user is already present and the remediation script creates the user and adds it to local administrators.

This is the detect script:

Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\LAPSLocalAdmin_Detect.log" -Append

$LAPSAdmin = "Username"

$Query = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True"

If ($Query.Name -notcontains $LAPSAdmin) {

    Write-Output "User: $LAPSAdmin does not existing on the device"
        
    Exit 1

}
Else {
    Write-Output "User $LAPSAdmin exists on the device"
    Exit 0
}

Stop-Transcript

This is the remediation script:

Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\LAPSLocalAdmin_Remediate.log" -Append

$LAPSAdmin = "Username"

$Query = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True"

If ($Query.Name -notcontains $LAPSAdmin) {

    Write-Output "User: $LAPSAdmin does not existing on the device, creating user"
    
    try {
        # Define the length of the password
        $length = 14

        # Define the characters to be used in the password
        $characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+=-"

        # Create a random password
        $password = ""
        for ($i = 1; $i -le $length; $i++) {
            $randomIndex = Get-Random -Minimum 0 -Maximum $characters.Length
            $password += $characters[$randomIndex]
        }

        Net User /Add $LAPSAdmin $password
        Write-Output "Added Local User $LAPSAdmin"

        $Group = Get-WmiObject -Query "Select * From Win32_Group Where LocalAccount = TRUE And SID = 'S-1-5-32-544'"

        $GroupName = $Group.Name

        net localgroup $GroupName $LAPSAdmin /add
        Write-Output "Added Local User $LAPSAdmin to Administrators"
        Exit 0

    }
    catch {
        Write-Error "Couldn't create user"
        Exit 1
    }

}
Else {
    Write-Output "User $LAPSAdmin exists on the device"
    Exit 0
}

Stop-Transcript

I used the CMD commands to create the user and add it to the local administrators because the LocalAccounts module wasn’t available in system context when running it via remediations.

Furthermore, both scripts are also available via Github. This is the link for the detect script and this is the link for the remediation script.

Creating the Remediation

Log on to the Intune Portal and go to devices. After that, go to remediations:

Click on Create script package > enter a name > select the detect and the remediate scripts > assign the configuration and deploy the policy.

After that, this is the result of the remediation:

In addition, the issue fixed status appears when the user is not present and is created after. The without issues state means that the user is already present.

Furthermore, there are also logs files created on the device. You find these in the folder: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\

(The screenshot contains the logs from collect diagnostics)

The logs contain the following:

And that’s how you create the Windows LAPS user via Remediations.

2 thoughts on “Windows LAPS user via Remediations”

  1. Hey Niels,
    thanks for your HowTo.
    I have found that this will only work on an English system. For internationalization I would add the following to the Remediation Script.
    $Group = Get-WmiObject -Query “Select * From Win32_Group Where LocalAccount = TRUE And SID = ‘S-1-5-32-544′”
    $GroupName = $Group.Name
    In this case we use the SID of the local admin group instead of the identifier
    The next change will be here:
    net localgroup $GroupName $LAPSAdmin /add
    Write-Output “Added Local User $LAPSAdmin to Administrators”
    Exit 0

    Reply
    • Hi Timo,

      Thanks for your comment. I indeed only tested this on a english machine. Thanks, I wil update the script.

      KR,
      Niels

      Reply

Leave a Comment