LAPS Integration with PDQ Inventory and PDQ Deploy

This article aims to provide some general guidance on using the Local Administrator Password Solution.

Considerations

• In order to use LAPS with PDQ Deploy, Enterprise mode is required for both PDQ Deploy and PDQ Inventory. PDQ Inventory must be installed on the same machine as PDQ Deploy (see This Article for Central Server interoperability guidance).
• Because LAPS is an Active Directory (AD) schema extension, local accounts (for example, .\PDQUser) will not work as part of LAPS. An AD domain is required.
• The administration and troubleshooting of LAPS is beyond the scope of support. Substantial documentation is available from Microsoft and third-party sites regarding the administration and troubleshooting of LAPS.
• Windows LAPS is unsupported on Windows Server 2016.  Hosting PDQ Deploy and Inventory on Windows Server 2016 is currently supported, however attempting to integrate with Windows LAPS will fail with the "The user name or password is incorrect" error when attempting to Scan or Deploy.   For more information about this, please refer to Microsoft's documentation. Windows LAPS supported platforms and Azure AD LAPS preview status 

Getting Started

If not already completed, set up LAPS in your environment.

After having successfully configured and tested LAPS in your environment, you can use LAPS with PDQ Inventory and PDQ Deploy.

Using LAPS with PDQ Inventory

In order to use LAPS with PDQ Inventory, the LAPS user credentials must be configured.

1.  Go to Options > Credentials and click the Add LAPS button.
   
   
2.  In the "Add LAPS Credentials" window, enter the appropriate information:
   
   IMPORTANT: The domain credentials (e.g. User Name) in the above example must have read permissions for the LAPS password, which is set during LAPS configuration in the domain.
3.  Test the credentials using the Test Credentials button and, when successful, click OK.
4. Select the LAPS account [a default setup of LAPS uses the local Administrator account. We recommend you create a different account as detailed here], if not already selected, and click the Set Default button to make the LAPS credentials the default scan user (optional, but highly recommended):
   

Using LAPS with PDQ Deploy (requires PDQ Inventory):

While no native support for LAPS exists within PDQ Deploy, LAPS can be used for deployments in conjunction with PDQ Inventory.

Prerequisites:

• In order to use LAPS with PDQ Deploy, LAPS must be configured for PDQ Inventory following the instructions above.
• PDQ Inventory and PDQ Deploy must be using the same background service user OR the background service for PDQ Deploy must be a Console User in PDQ Inventory and vice-versa. For additional information, please see this article.
• The Scan User for any target computer you wish to deploy to must be configured to use LAPS credentials.
• PDQ Inventory must be installed on the same machine as PDQ Deploy and operate in the same Central Server mode.

You can use LAPS during a deployment with either a schedule or Deploy Once. To use with a schedule, select Use PDQ Inventory Scan User credentials first, when available.

And in the Deploy Once window

In both cases, where the LAPS user is set as the Scan User, PDQ Deploy will attempt to use the LAPS credentials as defined in PDQ Inventory before the credentials defined in PDQ Deploy.

See Also

Scan for AD Info When Using a Local Account (LAPS)
Using Scan User credentials (video): Managing Domain and Non-Domain Machines Within PDQ
Configuring LAPS and PDQ, a webcast:

LAPS (external sites):
Microsoft's Official Download & Documentation: Local Administrator Password Solution (LAPS)
TechNet: Local Administrator Password Solution