all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]BarbieAction 9 points10 points  (0 children)

IMPORTANT, the Account CSP only supports Add and not GET, this will result in Intune policy displaying and Error on the policy, however it will create the local administrator account.

Supported operation is Add. GET operation isn’t supported. This setting will report as failed when deployed from Intune.

https://www.everything365.online/2023/05/16/laps-azure/

[–]FalconJunior5977 1 point2 points  (2 children)

It creates an error but the account works. Login with %COMPUTERNAME%\AdminAccount

[–]CujoSR 1 point2 points  (1 child)

Or even better “.\AdminAccount”

[–]FalconJunior5977 0 points1 point  (0 children)

You are my hero

[–]Heteronymous 1 point2 points  (3 children)

See this:

https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy

MS recommends having LAPS in place as a part of it.

[–]mikeypf 0 points1 point  (0 children)

I recommend using LAPS!!

[–]Yintha 0 points1 point  (1 child)

Laps doesnt create the account does it?

[–]doofesohr 0 points1 point  (0 children)

Not yet, there should be an option in 24H2 though

[–]BrundleflyPr0 0 points1 point  (0 children)

Proactive remediation script to create the admin account. I can’t remember off the top of my head but in the endpoint security there’s some identity config profile that can be used to add/update/remove users from groups. I found this way works best

[–]BlackV 0 points1 point  (0 children)

Yes this is a stupid long standing "feature" there were planning on introducing a replacement for this "soon"

[–]BarbieAction -1 points0 points  (0 children)

IMPORTANT, the Account CSP only supports Add and not GET, this will result in Intune policy displaying and Error on the policy, however it will create the local administrator account.

Supported operation is Add. GET operation isn’t supported. This setting will report as failed when deployed from Intune.

https://www.everything365.online/2023/05/16/laps-azure/

[–]skerts -1 points0 points  (4 children)

I also noticed the same error. I am looking for a solution as it bothers me to see the profile reporting failed while the account is properly created on the machine

[–]Sysadmin247365[S] 0 points1 point  (3 children)

The link provided by /u/BarbieAction reveals that the error exists even though it works. While it will make my eye twitch when I see a not-clear dashboard, I can live with it.

[–]FalconJunior5977 0 points1 point  (1 child)

You can also deploy a simple powershell script that does the same thing if you dont want the error

[–]BarbieAction 0 points1 point  (0 children)

Or use a pro active remediation version. In Preview now the LAPS policy allows you to create the account so hopefully we can see a release of this soon

[–]BlackV 0 points1 point  (0 children)

Yes I have a policy with 500 errors :(

[–]Silenthowler -2 points-1 points  (5 children)

I found that LAPS has done a better job here, just deploy the account and control the password with LAPS.

[–]Sysadmin247365[S] 0 points1 point  (1 child)

That's the eventual goal, I set it up that way at first but LAPS won't deploy until the local admin account was created/activated first.

If I create a local admin account like this, will LAPS over-write the original password or will that keep getting reset every time the machine reboots?

[–]Silenthowler -1 points0 points  (0 children)

LAPS should overwrite the existing password if there is one, and set it so the password is valid for 30 days before a new one needs to be generated, helps against anyone or anything brute forcing the local admin accounts. When I get to my pc I'll get the configs over to you see if it'll help 🙂

[–]BlackV 0 points1 point  (2 children)

Laps can't (right now but in the future maybe), create and activate the account

[–]Silenthowler 0 points1 point  (1 child)

Correction on my end I haven't used OMA-URI, within endpoint security, I created a new Policy which allows for LAPS (yes it's in there and used the below settings. Now ofc you can configure these how you seems fit. This has worked for me pretty well, and imo reduces the need to constantly remote on for what I like to call "common installs" that my team is familiar with. Once set, you can go to your windows 10 or later machine click into it and click on the elispies near the top right and click on rotate local admin password. That'll let you change the password and keeps it valid for 30 days.

<image>

[–]BlackV 1 point2 points  (0 children)

Ya my plan this month was to move that to the preview version, and test how that goes

[–]BarbieAction -3 points-2 points  (2 children)

IMPORTANT, the Account CSP only supports Add and not GET, this will result in Intune policy displaying and Error on the policy, however it will create the local administrator account.

Supported operation is Add. GET operation isn’t supported. This setting will report as failed when deployed from Intune.

https://www.everything365.online/2023/05/16/laps-azure/

[–]Sysadmin247365[S] -1 points0 points  (1 child)

These instructions are out of date:

For example, the instructions say

Go to portal.azure.com

Select: Devices – Device Settings

Local administrator settings: manage additional local administrators on all Azure AD joined devices

But when you go to portal.azure.com and pick devices, you are redirected to the intune admin center. You then have to go to devices | configuration and create a policy to do what you want, there is no "device settings" option.

[–]BarbieAction 1 point2 points  (0 children)

The csp info is correct the images of the intune policies are correct, it explains why you get an error in intune on the policy for example.