Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Defining an Extra User to Perform Push Copy & SCManager Steps when Using LAPS; Possible?

When deploying using a LAPS managed account, it would sometimes seem to be desirable that the user account which pushes files to the targets' file shares and installs/starts/removes the PDQRunner service be an account other than the LAPS managed local account. (Specifically, a domain account which can use its password to get Kerberos tickets for these services)

Are there any options for defining such an 'extra' user account which will perform only these steps, leaving just the PDQRunner service (and the processes which it creates) to run under the LAPS managed local account?

The use case for this would be deploying software/scanning within LAPS-enabled domain environments where any of the following are true:

NTLM authentication has been disabled on the targets

The Remote UAC LocalAccountTokenFilterPolicy is enabled on the targets

UNC hardening has been enabled with the 'RequireMutualAuthentication' option set for a file share needed by the deployment on the computer where PDQ Deploy/Inventory is installed