Zitat von mpachmann am 13. Mai 2024, 17:17 Uhr

https://www.petervanderwoude.nl/post/using-automatic-account-management-mode-of-windows-laps/

This week is sort of a follow-up on a post of about a year ago about getting started with Windows LAPS. That time it was really focussed around the basics of managing the password of the specified local administrator account. This time it’s all about recently introduced features to take that management to another level. An important part of those new features is the account management mode. The account management mode can be used for creating, configuring and managing the target account. Besides that, those new features also include an improved readability password dictionary, a new passphrase feature and a new image rollback detection feature. All of those features are focussed on even better protecting those local administrator accounts. This post will focus on probably the most anticipated feature, the account management mode feature. This post will start with the different account management modes and the corresponding configuration options. This post will end with the steps to configure the account management of Windows LAPS and the experience with that configuration.

Important: At the moment of writing, account management is in Windows 11 Insider Preview Build 26040 and later.

Understanding the account management modes of Windows LAPS

With these latest updates to Windows LAPS, the IT administrator gets the options to choose between the different account management modes for configuring and managing the target account. Those management modes are:

• Manual account management: The manual mode is the default mode. Within the manual mode, the IT administrator is responsible for all the configuration aspects of the targeted account. The IT administrator can choose between targeting the built-in Administrator account, or a custom account. When targeting a custom account, the IT administrator is responsible for creating that account before enabling Windows LAPS. In this mode, only the password of the targeted account is protected against tampering and all other configuration changes are allowed.
• Automatic account management: The automatic mode is an optional mode. Within the automatic mode, Windows LAPS is responsible for all configuration aspects of the targeted account. That includes the creation and deletion of that account. In automatic mode the IT administrator can also choose between targeting the built-in Administrator account, or a custom account. When targeting a custom account, the IT administrator can specify basics around the name of that account and whether to enable or disable that account. That account will be automatically created as a member of the local Administrators group, will not require a password change at next logon, will have a password that eventually expires, and contains an account description. Besides that, it integrates directly with other local account management policies for local groups. All to make sure that the account and its permissions cannot be changed. On top of that, all configurations of the targeted account are protected agains tampering.

Configuring automatic account management of Windows LAPS

After being familiar with the different account management options for Windows LAPS, it becomes important to be familiar with the newly introduced configuration options related to the automatic account management. These new settings are available within the LAPS CSP in Windows 11 (currently Windows 11 Insider Preview Build 26040 and later). Within the LAPS CSP new settings became available related to the automatic account management, as manual account management is the default behavior. The table below provides an overview of those new settings and the required configuration values.

Setting	Description
AutomaticAccountManagementEnableAccount	This setting can be used to configure whether the automatically managed account is enabled or disabled. The value is a boolean (e.g. True).
AutomaticAccountManagementEnabled	This setting can be used to specify whether automatic account management is enabled and is a prerequisite for using the other automatic account management settings. This value is a boolean (e.g. True).
AutomaticAccountManagementNameOrPrefix	This setting can be used to configure the name or prefix of the managed local administrator account. The value is a string (e.g. PT).
AutomaticAccountManagementRandomizeName	This setting can be used to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated. The value is a boolean (e.g. True).
AutomaticAccountManagementTarget	This setting can be used to configure which account is automatically managed. The value is an integer and the available values are 0 and 1 (0 equals built-in administrator and 1 equals creation of a new account).

After being familiar with the available configuration options for the automatic account management of Windows LAPS, it’s time for using that within a configuration profile in Microsoft Intune. As the configuration is not yet directly available in Microsoft Intune, it’s possible to use a custom configuration profile. The following nine steps walk through applying the automatic account management mode configuration by using the configuration node of the LAPS CSP.

1. Open the Microsoft Intune admin center navigate to Devices > Windows > Configuration profiles
2. On the Windows | Configuration profiles blade, click Create > New policy to open the Create a profile page
3. On the Create a profile page, provide the following information and click Create

• Platform: Select Windows 10 and later as value
• Profile type: Select Templates as value
• Template name: Select Custom as value

4. On the Basics page, provide a unique Name to distinguish the profile from other custom profiles and click Next
5. On the Configuration settings page, as shown below in Figure 1, click Add to add rows for the following custom settings and click Next

• OMA-URI setting (1) – This setting is used to enable automatic account management mode
  • Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
  • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
  • OMA-URI: Specify ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
  • Data type: Select Boolean as value
  • Value: Select True as value
• OMA-URI setting (2) – This setting is used to enable the automatic managed account
  • Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
  • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
  • OMA-URI: Specify ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
  • Data type: Select Boolean as value
  • Value: Select True as value
• OMA-URI setting (3) – This setting is used to configure a prefix for the automatic managed account
  • Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
  • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
  • OMA-URI: Specify ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
  • Data type: Select String as value
  • Value: Specify the required prefix as value
• OMA-URI setting (4) – This setting is used to enable a randomized name for the automatic managed account
  • Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
  • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
  • OMA-URI: Specify ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
  • Data type: Select Boolean as value
  • Value: Select True as value
• OMA-URI setting (5) – This setting is used to target automatic account management mode
  • Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
  • Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
  • OMA-URI: Specify ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
  • Data type: Select Integer as value
  • Value: Select 1 as value

6. On the Scope tags page, configure the applicable scopes and click Next
7. On the Assignments page, configure the assignment and click Next
8. On the Applicability rules page, configure the applicability rules and click Next
9. On the Review + create page, verify the configuration and click Create

Note: At some point in time these settings will become directly available in Microsoft Intune.

Experiencing automatic account management of Windows LAPS

After applying the automatic account management mode for Windows LAPS, it’s interesting to see what the behavior is on Windows 11 devices. The best place to first verify the applied configuration, is by looking at Event ID 10022 in the Microsoft-Windows-LAPS/Operational log in the Event Viewer. That event provides an overview of the applied configuration details. Now simply look at the Local Users and Groups in Computer Management and verify that the automatic managed account is available conform the specified configuration. Below in Figure 2 is a clear example. A custom admin account is targeted. That account is created with a randomized name with a specific prefix, and is enabled. Besides that a password change is not required at next logon, the password will eventually expires, and the account contains an account description. Even better, every change to that managed account will be prevented. When the user does try to make changes to that account, the following message will be shown: “The account is controlled by external policy and cannot be modified“.

More information

For more information about Windows LAPS and the account management options, refer to the following docs.

• Windows LAPS architecture | Microsoft Learn
• Windows LAPS account management modes | Microsoft Learn
• Windows LAPS passwords and passphrases | Microsoft Learn
• LAPS CSP – Windows Client Management | Microsoft Learn