LAPS Integration with PDQ Inventory and PDQ Deploy

This article aims to provide some general guidance on using the Local Administrator Password Solution.

 

As of April 2023, Microsoft has released a new version of LAPS distributed via the monthly Windows Cumulative Updates. This new version of LAPS is only supported in PDQ Inventory version 19.3.440.0 and higher, but the instructions below apply to both.

Considerations

  • In order to use LAPS with PDQ Deploy, Enterprise mode is required for both PDQ Deploy and PDQ Inventory. PDQ Inventory must be installed on the same machine as PDQ Deploy (see This Article for Central Server interoperability guidance).
  • Because LAPS is an Active Directory (AD) schema extension, local accounts (for example, .\PDQUser) will not work as part of LAPS. An AD domain is required.
  • The administration and troubleshooting of LAPS is beyond the scope of support. Substantial documentation is available from Microsoft and third-party sites regarding the administration and troubleshooting of LAPS. 
  • Windows LAPS is unsupported on Windows Server 2016.  Hosting PDQ Deploy and Inventory on Windows Server 2016 is currently supported, however attempting to integrate with Windows LAPS will fail with the "The user name or password is incorrect" error when attempting to Scan or Deploy.   For more information about this, please refer to Microsoft's documentation. Windows LAPS supported platforms and Azure AD LAPS preview status 
  • Remote UAC will need to be disabled on your target computers, prior to using a LAPS account with PDQ Deploy & Inventory. Disable Remote UAC for Local Admin/LAPS Accounts

Using LAPS with PDQ Deploy when PDQ Deploy is in Pull Copy Mode (Options > Preferences > Performance, Copy Mode) will result in the error (or similar), "The user name or password is incorrect".

Getting Started

If not already completed, set up LAPS in your environment.

After having successfully configured and tested LAPS in your environment, you can use LAPS with PDQ Inventory and PDQ Deploy.

Using LAPS with PDQ Inventory

In order to use LAPS with PDQ Inventory, the LAPS user credentials must be configured.

  1.  Go to Options > Credentials and click the Add LAPS button.
    00.png
  2.  In the "Add LAPS Credentials" window, enter the appropriate information:
    01.png
     

    The domain credentials (e.g. User Name) in the above example must have read permissions for the LAPS password, which is set during LAPS configuration in the domain.

    A default setup of LAPS uses the local Administrator account. We recommend you create a different account as bad side-effects can occur if using a LAPS account with the same name as an existing Domain Account (i.e. Administrator).

  3. Test the credentials using the Test Credentials button and, when successful, click OK.
  4. Select the LAPS account, if not already selected, and click the Set Default button to make the LAPS credentials the default scan user (optional, but highly recommended):
    02.png

Using LAPS with PDQ Deploy (requires PDQ Inventory):

While no native support for LAPS exists within PDQ Deploy, LAPS can be used for deployments in conjunction with PDQ Inventory.

Prerequisites:

  • In order to use LAPS with PDQ Deploy, LAPS must be configured for PDQ Inventory following the instructions above.
  • PDQ Inventory and PDQ Deploy must be using the same background service user OR the background service for PDQ Deploy must be a Console User in PDQ Inventory and vice-versa. For additional information, please see this article.
  • The Scan User for any target computer you wish to deploy to must be configured to use LAPS credentials.
  • PDQ Inventory must be installed on the same machine as PDQ Deploy and operate in the same Central Server mode.

You can use LAPS during a deployment with either a schedule or Deploy Once. To use with a schedule, select Use PDQ Inventory Scan User credentials first, when available.
03.png

And in the Deploy Once window
04.png

In both cases, where the LAPS user is set as the Scan User, PDQ Deploy will attempt to use the LAPS credentials as defined in PDQ Inventory before the credentials defined in PDQ Deploy.

See Also

Scan for AD Info When Using a Local Account (LAPS)
Using Scan User credentials (video):
Managing Domain and Non-Domain Machines Within PDQ
Configuring LAPS and PDQ, a webcast:

LAPS (external sites):
Microsoft's Official Download & Documentation: Local Administrator Password Solution (LAPS)
TechNet: Local Administrator Password Solution

Still have a question or want to share what you have learned? Visit our Community to get help and collaborate with others.