Looking for a way to run a simple PS script post Microsoft Autopilot deployment
Looking for some advice as I'm experimenting in my org with Autopilot for the first time. Basically due to the pandemic, we have a remote workforce, so we've decided on a user driven hybrid AD join which will give us access to on-prem infrastructure and group policy, while still letting us enjoy the benefits of Intune.
To accomplish that, we have a VPN client that's configured to connect and handles the domain bind after the users authenticates at the enrollment status page.
One of the various LOB software installs we have included as a device install is the Microsoft local admin password solution. That seems to install as expected and as soon as the device talks to a domain controller, the default local administrator password is changed and stored in AD. There's one catch here, it doesn't actually enable the account. So I added a one liner script to MEM->Devices->Scripts that is targeted to our Autopilot workstation group in Azure AD (dynamic) "Get-LocalUser -Name "Administrator" | Enable-LocalUser"
This works and the account is enabled, however there is a short period of time before the domain bind when the device receives the new default admin password via LAPS where anyone can login with .\administrator. That is obviously concerning.
Any thoughts/suggestions on how to maybe delay that same script from running? Or running it as a post install task? I'm much more of a break/fix guy but I'm in unfamiliar territory here.
How about not enabling the Administrator account on join. But having a on going Task/Compliance Item (not sure if Auto Pilot has these things?). You could have a PowerShell check for your Domain, if there is a domain, then obviously it has joined and you can enable the account - this is presuming LAPS will still set/change a disable local Administrator account?
Other thoughts, I think it has to be done in sperate steps however you do it. As you say you will always have that lag after joining.
Oh, you could enable the Admin and account and change the password at the same time (to something you set). This would stop a local login. And eventually after domain join, your password will be changed via LAPS. You do have a small vector of attack still in that period though, if they manage to extract the password somehow.