Controlling local admin with LAPS and Intune

I recently suggested that Compliance policies were the place to start with Intune device management.

From there, I would suggest that configuring the Local Administrator Password (LAPS) policy is a good follow on option. This will automatically rotate the password for the Windows local device administrator accounts.

In the Intune console select Endpoint Security and then Account protection. Create a new policy for Windows 10 and later and select Local admin password solution (Windows LAPS) as shown above.

Give the policy a meaning name and description.

Make the appropriate settings as shown above. You want to ensure that the Backup directory is set to Backup the password to Azure AD only.

Assign the policy and save it.

Once the policy has been assigned to the device a random password, to specifications set in the policy will be applied and a copy will be saved into the device details in the location shown above within Intune

In general it is best practice to have no other local admin accounts on devices except the default one provided by Windows that cannot be removed. Per the FAQs, LAPS supports only one account on a device. You can specify that account but it is best practice to not specify a name on the policy configuration and allow Intune to manage the default built-in administrator account.

Once the LAPS policy has been applied you will see the following for the Windows devices as shown above.

Selecting the Show local administrator password hyperlink will display a blade with the above information. Selecting the Show button here will display the current password and allow you to take a copy.

Best practice is to take control of the default local admin account using the LAPS policy deployed via Intune as shown. The next step would then to be to eliminate any other local admin account from the devices so the only ne left is the default which has its password rotated regularly thanks to LAPS.

Further information on LAPS with Intune can be found here:

Microsoft Intune support for Windows LAPS

Start with Intune Compliance policies

I see many people struggle to get started with Intune and Device Management in Microsoft 365. My recommendation is always to start with configuring Compliance policies. Doing so will give you:

1. A device inventory

2. A list of devices that fail to meet the minimum standards set for connection to corporate data

However, the major benefit is that, by default, Intune Compliance Policies make no change to any of the device or impact users productivity. In effect, Compliance Policies simply READ the status of a device and make NO changes.

You’ll find Compliance Policies under Devices in the Intune portal as shown above.

Typically, you’ll create at least one Compliance Policy for each different operating systems you have in your environment (i.e. for Windows, iOS, Android, etc). You can, of course, have as many different Compliance Policies as you desire, potentially targeted at different users and or devices. However, the policies you have, the more maintenance and troubleshooting will be required. It is therefore recommended to stick with a single Compliance Policy for each operating system.

During the policy creation you’ll see a screen as shown above in which you can set actions for devices that fail compliance. You will not that, by default, the only taken is simply to mark the devices as non compliant. That is the only action take. You can add more actions if you want, but importantly, by default, the only action taken is simply to mark devices as non compliant.

Once you have created and assigned the Compliance Policy the machines covered that policy will be evaluated and results reported back to Intune.

If devices are found that are not compliant, then you can take action to make them compliant before allowing them to access corporate data.

Above all, using compliance policies is a great way to get an inventory of all the devices in your environment and report their configuration. Of course, these Compliance Policies will continue to be evaluated regularly in case anything changes on the device.

The recommendation then is to start with Compliance Policies to take an inventory of your device fleet before proceeding further with Device management. If you want to read more about Modern Device Management then read my series of blog posts starting here:

https://blog.ciaops.com/2020/09/26/modern-device-management-with-microsoft-365-business-premium-part-1/

Need to Know podcast–Episode 309

All the latest news and updates from the Microsoft Cloud with a focus on SMB. Inside this episode are also some thoughts around incident response and why you should have one and why you should be reviewing and updating it regularly.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-309-incident-response/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

Copilot in Teams: August 2023 Updates

Microsoft announces 2023 Surface event taking place next month in New York

Microsoft Defender data can now be hosted locally in Australia

Frontline updates in Microsoft Teams, Windows 365, Copilot & Dynamics 365 Field Service

Remote Help for Android coming soon to public preview

Day zero support for Android 14 with Microsoft Intune

SharePoint Roadmap Pitstop: July 2023

View and edit shape data in Visio for the web

Conditional Access for Protected Actions is Now Generally Available!

Intro to AI, AI for SMBs

Incident response overview

CIAOPS M365 Incident response online training course

Need to Know podcast–Episode 307

All the news and announcements from Microsoft Inspire plus Azure AD getting renamed to Entra as well as some recent security news you should be across. Lots in this episode so listen along and let me know what you think.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-307-news-from-inspire/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

Microsoft inspire

Furthering our AI ambitions – Announcing Bing Chat Enterprise and Microsoft 365 Copilot pricing – The Official Microsoft Blog

Welcome to Microsoft Inspire 2023: Introducing Microsoft 365 Backup and Microsoft 365 Archive – Microsoft Community Hub

Microsoft Inspire: Accelerating AI transformation through partnership – The Official Microsoft Blog

Microsoft Inspire: Prepare for the future of security with AI | Microsoft Security Blog

Microsoft Sales Copilot, Dynamics 365 Customer Insights, and cloud migration reshape the future of business – Microsoft Dynamics 365 Blog

SMB security New innovations from Microsoft Inspire 2023

Introducing a new SharePoint Web UI kit! – Microsoft Community Hub

Security Copilot – How it works

Azure AD is Becoming Microsoft Entra ID – Microsoft Community Hub

Microsoft Entra Expands into Security Service Edge with Two New Offerings – Microsoft Community Hub

Get started with Global Secure Access (preview) | Microsoft Learn

How Microsoft is expanding cloud logging to give customers deeper security visibility | Microsoft Security Blog

Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog

Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog

Basic event capture in Microsoft 365

If you want to be able to find out what has happened in Microsoft 365 you’ll need to ensure that you have enabled the appropriate logs as well as being able to view information there when needed. This video shows you the basic locations for logs in Microsoft 365 as well as the different services that cane be used to query and report on these. It is important to have all your logging enabled well in advance of when you’ll need it. This video should get you started.

Video link – https://www.youtube.com/watch?v=-YSHlo4Cvgo

Need to Know podcast–Episode 305

Join me for an update of the Microsoft Cloud news as well as some thoughts around the importance and approach to managing logs in Microsoft Cloud Services.

Join me for the latest news and updates from the Microsoft Cloud and then a look at Application Control and how you consider implementing it.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-305-logs/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

New CIAOPS Power Automate course

PowerShell connection to M365 Compliance center no longer users WinRM

Basic Windows Application Control using Intune policies

Change in the share to specific users process in SharePoint Online and OneDrive for Business

Microsoft Inspire – July 18-19

Microsoft Confirms Recent Cloud Outages Caused By Storm-1359 DDoS Attacks

MAM for Microsoft Edge for Business on Windows

New home experience in OneNote on iPhone

Forrester names Microsoft a Leader in the 2023 Enterprise Email Security Wave

Defender Application control in Endpoint Security

Unified Audit logs

Email logs

PowerShell connection to M365 Compliance center no longer users WinRM

For the longest time, if you needed to connect to the Microsoft 365 Security and Compliance center with PowerShell you needed to allow WinRM to use basic authentication.

If you therefore ran my connection script:

https://github.com/directorcia/Office365/blob/master/o365-connect-sac.ps1

you’d see the above error if you didn’t have WinRM enabled for basic authentication.

Having WinRM enabled with basic authentication is not a best practice for security, and I’m happy to report that if you update you ExchangeOnlineManagement PowerShell to version 3.2.0 you’ll now no longer need WinRM at all!

My connection script will auto update your environment for you when it runs.

I’m glad to see this update as it means I can again connect to the Microsoft Security and Compliance center in my locked down environment.

Basic Windows Application Control using Intune policies

Application control is a great way to make your Windows devices more secure. However, it can be challenging to create and roll out policies. The good news is that you can apply Application Control using Intune policies. I made this video:

https://www.youtube.com/watch?v=gh0wRZGjnd4

in which I run through the whole process from end to end. I also cover off some of the challenges using this approach as well as some handy troubleshoot tips, especially how to successfully remove the Application Control settings if needed.

Follow along for an easy way to deploy Application Control across your Windows devices using Intune.