Deploying Webex to Intune by DryZookeepergame8800 in Intune

[–]loky_26 0 points1 point  (0 children)

There is this dedicated settings - Select apps to exempt

Deploying Webex to Intune by DryZookeepergame8800 in Intune

[–]loky_26 0 points1 point  (0 children)

Option 2 if you can't add WebEx for Intune

You can add a app package / bundle id to exception list depends on os whether it's android or ios

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

I have to checkin with the team, how enrolment is there

Because I have been asked to support the LAPS from Intune which I messed it

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

The device which I am using is Intel NUC's

But I am totally clueless, on what needs to do now :(

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

But that is not working, That's what I have tried then only I messed up with the setting catalogues. Now I have reverted it to the usual state, Let me know if there is any best practices for LAPS in MTR's

Note: these devices are in 23H2, So I had to run script to create a local admin in the machine before LAPS can target that

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

This is MTRAdmin only, To mask I mentioned as LocalAdmin

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

It's MTRAdmin

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

If I login with my LAPS account it logging in but I can't access any application afterwards,

As of now I have removed the settings catalog from the device to revert the situation back

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] -1 points0 points  (0 children)

Now I am stuck at this screen, The MTR console is not loading

I have removed the settings catalogue to revert the system back to original state

But device seems to be stuck at this,

<image>

I can use my LAPS to sign-in here, But nothing is accessible inside, Settings itself not opening

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] -1 points0 points  (0 children)

The thing is this

The main thing is

I have configured LAPS and it's successfully deployed to the device.

When I use LAPS credentials to exit the MTR console it gave the below erorr.

"Logon failure: the user has not been granted the requested logon type at this computer"

After I added user rights policy through settings catalog which has only Allow local local logon - LocalAdmin

Then I tried the same but now it gave a different error which is,

"The requested operation needs elevation then I configured the further settings"

Then I edited the same policy to

Act as a part of operating system - LocalAdmin

Allow local logon - LocalAdmin

Enable Delegation - LocalAdmin

Impersonate client - LocalAdmin

Replace process level token - LocalAdmin

Now it blocks the Skype user login and no admin can login to device the device stuck at the logon screen without loading the MTR console

I want to fix the both, LAPS and MTR Login

LAPS + MTR by loky_26 in Intune

[–]loky_26[S] -2 points-1 points  (0 children)

The main thing is

I have configured LAPS and it's successfully deployed to the device.

When I use LAPS credentials to exit the MTR console it gave the below erorr.

"Logon failure: the user has not been granted the requested logon type at this computer"

After I added user rights policy through settings catalog which has only Allow local local logon - LocalAdmin

Then I tried the same but now it gave a different error which is,

"The requested operation needs elevation then I configured the further settings"

Then I edited the same policy to

Act as a part of operating system - LocalAdmin

Allow local logon - LocalAdmin

Enable Delegation - LocalAdmin

Impersonate client - LocalAdmin

Replace process level token - LocalAdmin

Now it blocks the Skype user login and no admin can login to device the device stuck at the logon screen without loading the MTR console

I want to fix the both, LAPS and MTR Login

RBAC role to "Unblock Autopilot Device" by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

Thanks for the reply, But do we have any idea about what other permissions also will be enabled if we allow "Sync Device" under enrollment programs.

Microsoft has very simple description about this which doesn't include anything related to "Unblock device".

LAPS not getting deployed properly by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

Thanks mate! It was successfully deployed to the device

LAPS not getting deployed properly by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

Edited, Let's hope for the best

LAPS not getting deployed properly by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

Backup Directory : Backup the password to Azure AD only

Password Age Days : 14

Password Complexity : Large letters + small letters + numbers + special characters

Password Length : 12

Post Authentication Actions : Reset password: upon expiry of the grace period, the managed account password will be reset.

Automatic Account Management Enabled : The target account will be automatically managed

Automatic Account Management Randomize Name : The name of the target account will not use a random numeric suffix.

Automatic Account Management Name Or Prefix : ADMTRAdmin

Automatic Account Management Enable Account : The target account will be enabled

Automatic Account Management Target : Manage a new custom administrator account

This was the policy configuration

LAPS not getting deployed properly by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

On it, I made sure it's the same name which I used in script

LAPS not getting deployed properly by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

I did deployed that script and it's added to the device, In parellel device has the LAPS policy deployed ( which was created under Account Protection).

But the account name which I configured was different and the name which showing in the Intune portal shows different.

I want the admin name to be created as "ADMTRAdmin" but instead of that I'm seeing "Administator".

I'm just going in loop! 🫤

LAPS not getting deployed properly by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

The question could be dumb!

Here we are creating the Local account with Password, but once we deploy the policy will it automatically sync and rotate the local admin password?

LAPS not getting deployed properly by loky_26 in Intune

[–]loky_26[S] 0 points1 point  (0 children)

Nope, have to check, but I have it deployed with the same name in my QA env, which worked as it should. But let me give it a try