Intune - laps and local security group policy conflict

spiceuser-lqqw · 2025-07-18T18:56:04.562Z

Hello,

I first setup a laps policy within intune to use a custom account which had another policy to create. We then also had a another local security group policy to make members of the IT team local admins on all computers. This policy was set to add (update). We then unfortunately gave this laps password out to anyone anytime they needed to install software or needed a password as we don’t have any EPM software. We do have the company portal set to have all our company apps but anytime a user wants anything it gets approved so using a company app store is not a complete solution but we don’t have the budget for a EPM software. Anyway people started using the laps password to make their normal accounts local admins bypassing our security. I then set the local security group policy to add (remove) from the add (update) it was set on not thinking about how it would remove the custom laps password we had. Now when I use our laps password both the custom account and I tried using the built in admin account and tried using the managed laps account option it will not allow the password to run an installer exe within the users download folder. The laps password does work and it can be logged into but the only way to run an exe from another users profile is to drag the file to the C drive and run it from there or to logout and back into windows under the laps account. Both of which is not great if we are told we don’t need EPM software and to just give the user the laps password since some users will not know how to drag files into their c drive or switch user accounts. Any idea what policy would have been conflicted or changed or the best way to go about fixing this? I would rather not push a PowerShell script changing the permissions of the user profile folder unless that is the only way.

Jay-Updegrove · 2025-07-18T19:02:22.294Z

That’s…not how LAPS is supposed to work…the password is supposed to rotate based on use, time, or command. If it’s not then there is no point. I would suggest you change the LAPS username from whatever admin account you’ve been using to something else first, then redeploy with password rotation based on use.

spiceuser-lqqw · 2025-07-18T19:10:44.743Z

Yep it rotates but when we get another request we give them the latest password so the company does not have to spend any money for EPM software. Not my choice. I wish we could get something like admin by request. I did try changing the username and redeploy but somehow something changed with the user profile and permissions after updating the local security group policy within intune to remove the unauthorized accounts listed on the admin group.

Rod-IT · 2025-07-18T19:15:14.744Z

spiceuser-lqqw:

We then also had a another local security group policy to make members of the IT team local admins on all computers. This policy was set to add (update). We then unfortunately gave this laps password out to anyone anytime they needed to install software

Adding IT staff to the local admin of each device is NOT LAPS.

LAPS uses unique, rotating passwords that remain in AD or Entra, no one knows the password unless they specifical obtain it from the console.

If the password is not rotating quick enough and you give the password out, that’s on you (the company) for giving out the password in the first place. users shouldn’t need to elevate, why are IT not installing things for users or giving them a way to do this directly - if you already use Intune have you looked at ‘company portal’

If the company doesn’t want to spend money or at least sort out their policies and UAPs, then they can’t also complain when someone abuses use of that password.

Get a UAP in place and if users above the password, then it’s a sackable offence. Not everything has to be handled by IT, sometimes it’s a policy.

I’m not sure what you mean by EPM, do you mean RMM?

Either way, Windows has a built-in screensharing tool called quick assist, a user initiates help, an admin remotely connects and does what is needed - no cost.

spiceuser-lqqw:

I tried using the built in admin account and tried using the managed laps account option it will not allow the password to run an installer exe within the users download folder

This is for security, you should not be executing files from the downloads folder, if you want to run something, move it to a location you know is safe and run it. Blocking exe from running in the downloads folder is there to protect.

Jay-Updegrove · 2025-07-18T19:15:34.691Z

So, you lock this back down and stop handing out the password(s), secure the ‘new’ admin profile, remove all the others, then use a remote login platform of your choice to log into the machine and install one-off software, users shouldn’t be doing any of those things anyway!

spiceuser-lqqw · 2025-07-18T19:22:23.800Z

yes we have two policies. One conflicted with the other. we had laps create a laps password and then we had another policy add it staff to the local admin group. the problem was users then used the laps password to make themselves admins. I then stupidly changed the local security group policy within intune to add (remove) from add (update) which removed all unauthorized users from the local admin group but it also removed our custom named laps password. I then added back but not the account does not have permissions to run exe installed from the downloads folder only the c drive.,

spiceuser-lqqw · 2025-07-18T19:23:02.213Z

our policy rotates the laps password every 7 days.

spiceuser-lqqw · 2025-07-18T19:24:03.837Z

it does not install as IT is just me and our employees work between 4am and 2am.

spiceuser-lqqw · 2025-07-18T19:25:39.539Z

like I said eailer we use company portal but vp’s will approve anyone getting anything they want so i dont have time to do 3 things and at the same time create custom packages to upload to the company store for every software someone wants

spiceuser-lqqw · 2025-07-18T19:26:27.154Z

by EPM I am endpoint privilege manager software like admin by request

Jay-Updegrove · 2025-07-18T19:27:16.632Z

You can easily deploy any software as an .MSI from Intune without problems, and almost everything comes with a pre-built .MSI these days…how often does someone actively request a new software package? You make it seem like you’re handling dozens of installs per day?

spiceuser-lqqw · 2025-07-18T19:28:20.063Z

the goal is to block malware and drive by downloads but allow users to download what they need. unfortunately, management does not make great decisions.

Jay-Updegrove · 2025-07-18T19:28:52.363Z

Users rarely do either, they tell you what they need and you source it…

spiceuser-lqqw · 2025-07-18T19:30:08.944Z

we have users that want to download every latest video editing software or whatever they want. users then complain they cannot work at 11pm and then my boss says just give full admin rights make in a one off thing. then that person tells other people how to game the system and before you know it 50% of the company has the policy removed which is just a stupid waste of time

spiceuser-lqqw · 2025-07-18T19:31:11.398Z

ok well the company is almost 24/7 like I said and my vice president said we are not doing that so dont really have an option as I have to listen to our CIO

spiceuser-lqqw · 2025-07-18T19:31:44.465Z

this was a windows folder permission question. I withdraw the question as this is a waste of time

Jay-Updegrove · 2025-07-18T19:45:02.854Z

Well, I guess I’m glad you figured it out in the end, however, you’re really going to want to reconsider what you’re doing there, or it won’t be long before you’re back asking us a much more serious question…

Rod-IT · 2025-07-18T19:48:12.803Z

spiceuser-lqqw:

yes we have two policies. One conflicted with the other. we had laps create a laps password and then we had another policy add it staff to the local admin group

I’m not talking about technical admin policies, I’m talking about a UAP - a user acceptance policy that defines what a user should do and not do, such as sharing the Wi-Fi, misusing the internet or abusing their privilege.

spiceuser-lqqw:

we use company portal but vp’s will approve anyone getting anything they want

I’m confused why they would need a LAPS password if they can get what they need via the company portal.

spiceuser-lqqw:

the goal is to block malware and drive by downloads but allow users to download what they need.

But they don’t need to execute files form the downloads folder, otherwise this could negate your malware policy.

spiceuser-lqqw:

we have users that want to download every latest video editing software or whatever they want.

Ignoring costs or licenses?

Most free tools are not free for business or commercial use.

spiceuser-lqqw:

users then complain they cannot work

So they don’t have the right tools to start with, just because they say they can’t work, if the company has supplied the tools to use and they want more, they should be packaged and put in the company portal, and licensed accordingly.

spiceuser-lqqw:

this was a windows folder permission question. I withdraw the question as this is a waste of time

If you adopt the same ‘give up’ attitude as your management, it’s no wonder the company is in this situation.

You are perhaps missing the point of why this is being shared with you.

If it’s a conscious decision that the user wants to install or run whatever they downloaded, it should not be done from the downloads folder, to prevent possible ransomware, this is the goal from what you said.

If they knowingly want to run something, move it first, then run it.

The fact you are seemingly giving up because you’re not getting an answer you want to hear isn’t great.

While you may not see this as what it is, we are trying to assist you, but without undoing what some of the tools you have in place are doing by design.

I will wish you good luck and leave you to it.

Josh-J-Spiceworks · 2025-07-21T17:08:44.642Z