Look, I know what you’re thinking: “Oh great, another LAPS post…” But hang tight! This one’s got a twist that might just save you from crafting yet another PowerShell band-aid. I’m here to share something that often flies under the radar but totally shouldn’t.
Before we dive in, let me just say: configuring LAPS through Intune is a dream compared to the old-school on-prem version. If you’ve wrestled with that beast before, you’ll understand the relief here.
A Hidden Gem in the Latest LAPS Settings
Alright, onto the good stuff.
There’s a newer setting in Intune’s LAPS arsenal that deserves a bit more love. Actually, there are two settings that work hand-in-hand, and they revolve around something called Post Authentication Reset Delay. That’s just a fancy way of saying: “How long should we wait after someone uses the LAPS password before we take action?”
Previously on LAPS…
Previously, you had a few straightforward choices once that LAPS password got used:
- Reset the password.
- Reset it and log the account out.
- Reset it, log out, and restart the PC.
All good if someone actually signed in using the LAPS account. But…
The Sneaky PowerShell Problem
These worked perfectly if someone signed into the device using the LAPS account. There is a but, and it’s a big but what if the account wasn’t actually signed in? What if, instead, someone just launched an elevated PowerShell window using LAPS credentials? In that case, your carefully configured actions did… absolutely nothing. And that PowerShell session? Still up, still admin, still a risk.
I used to tackle this with a custom Intune remediation script. It basically hunted down any processes running under the LAPS account and shut them down. It wasn’t glamorous, but it worked (mostly).
The Fix We’ve Been Waiting For
Now here comes the upgrade I’m excited about a new Post Authentication Action that handles all of this automatically! Once triggered, it ends any active sign-in sessions, cuts off SMB sessions, and terminates leftover processes yes, even that sneaky PowerShell one.
No more duct tape scripting. Just set it and forget it.
One Little Warning…
Heads-up, though: this setting can cause data loss. Microsoft gives users a non-negotiable two-minute warning to save their work before getting booted. So definitely weigh the pros and cons before flipping the switch.
Even Better? No 24H2 Required!
Unlike many of the new LAPS features that depend on Windows 11 24H2, this one does not. That means you can roll it out to your fleet today no waiting on a feature update.
Go Check Your Settings!
If you’re already using LAPS in Intune, now’s the perfect time to review your settings. This little gem could significantly reduce your attack surface with very little effort.
Give it a try, your future self (and your security posture) will thank you.
