LAPS Integration with PDQ Inventory and PDQ Deploy

Purpose:
General guidance on using the Local Administrator Password Solution (LAPS) with PDQ Inventory version 14+ and PDQ Deploy (Enterprise mode required for both products).

IMPORTANT:

  • Using LAPS with PDQ Deploy when PDQ Deploy is in Pull Copy Mode (Options > Preferences > Performance, Copy Mode) will result in the error (or similar), "The user name or password is incorrect".
  • In order to use LAPS with PDQ Deploy, Enterprise mode is required for both PDQ Deploy and PDQ Inventory. PDQ Inventory version 14+ must be installed on the same machine as PDQ Deploy (see This Article for Central Server interoperability guidance).
  • Because LAPS is an Active Directory (AD) schema extension, local accounts (for example, .\PDQUser) will not work as part of LAPS. An AD domain is required.
  • While the setup and configuration of LAPS is covered here, the administration and troubleshooting of LAPS is beyond the scope of support. Substantial documentation is available from Microsoft and third-party sites regarding the administration and troubleshooting of LAPS.

Resolution:
If not already completed, set up LAPS in your environment. Detailed instructions are available in this article, Configuring LAPS In Your Environment.

After having successfully configured and tested LAPS in your environment, you can use LAPS with PDQ Inventory and PDQ Deploy.

Using LAPS with PDQ Inventory:
In order to use LAPS with PDQ Inventory, the LAPS user credentials must be configured.

1. Go to Options > Credentials and click the Add LAPS button.
00.png

2. In the "Add LAPS Credentials" window, enter the appropriate information:
01.png
IMPORTANT: The domain credentials (e.g. User Name) in the above example must have read permissions for the LAPS password, which is set during LAPS configuration in the domain.

3. Test the credentials using the Test Credentials button and, when successful, click OK.

4. Select the LAPS account [a default setup of LAPS uses the local Administrator account. We recommend you create a different account as detailed here], if not already selected, and click the Set Default button to make the LAPS credentials the default scan user (optional, but highly recommended):
02.png

Using LAPS with PDQ Deploy (requires PDQ Inventory):
While no native support for LAPS exists within PDQ Deploy, LAPS can be used for deployments in conjunction with PDQ Inventory.

Prerequisites:

  • In order to use LAPS with PDQ Deploy, LAPS must be configured for PDQ Inventory following the instructions above.
  • PDQ Inventory and PDQ Deploy must be using the same background service user OR the background service for PDQ Deploy must be a Console User in PDQ Inventory and vice-versa. For additional information, please see this article.
  • The Scan User for any target computer you wish to deploy to must be configured to use LAPS credentials.
  • PDQ Inventory must be installed on the same machine as PDQ Deploy and operate in the same Central Server mode.

You can use LAPS during a deployment with either a schedule or Deploy Once. To use with a schedule, select Use PDQ Inventory Scan User credentials first, when available.
03.png

And in the Deploy Once window
04.png

In both cases, where the LAPS user is set as the Scan User, PDQ Deploy will attempt to use the LAPS credentials as defined in PDQ Inventory before the credentials defined in PDQ Deploy.

See Also:
Configuring LAPS In Your Environment
Scan for AD Info When Using a Local Account (LAPS)
Using Scan User credentials (video):
Managing Domain and Non-Domain Machines Within PDQ
Configuring LAPS and PDQ, a webcast:

LAPS (external sites):
Microsoft's Official Download & Documentation: Local Administrator Password Solution (LAPS)
TechNet: Local Administrator Password Solution
TechNet Blog: Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary

Still have a question or want to share what you have learned? Visit our Community to get help and collaborate with others.