LAPS Error: Access is Denied

4/26/2018 1974 Contributors

Purpose:
You receive an "Access is denied" error when attempting to use LAPS credentials in PDQ Inventory, most often with Windows 10 build 1607 and higher.

NOTE: In most cases of the "Access is Denied" error, LAPS works outside of PDQ, meaning you can pull the LAPS admin password and access the Windows 10 1607+ machine as expected.

Resolution:
In order to use LAPS with Windows 10 build 1607 and higher, you may need to disable Remote UAC (User Account Control) as described in this article, Can't Access ADMIN$ Share Using A Local User Account; or follow the abbreviated (and efficient) instructions below.

NOTES:

  • Disabling Remote UAC does not impact native/local GUI-based UAC in any way. Both are different iterations of the same concept, but are mutually exclusive.
  • If Deploying the registry change below, you will obviously not be able to use LAPS to do so. Use an existing account for the deploy credentials that has local admin access on all targets.

Disable Remote UAC
To disable Remote UAC, perform the following for all Windows 10, build 1607 and higher target machines:

1. Create a .reg file containing all of the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001

2. Save the .reg file to a place accessible to PDQ Deploy (or the targets if using Pull Copy Mode).

3. Open PDQ Deploy and click New Package (Ctrl+N) on the menu ribbon.

4. Name the package something meaningful in Properties.

5. Click on New Step > Install.

6. Name the step, if desired.

7. On the Details tab, Install File, use the file picker [...] to select the .reg file created in steps 1 and 2 above.
01.png

8. Click on the Conditions tab and select Windows 10 for the O/S Version and add a Registry condition (optional):
02.png

NOTE: Even though the O/S Version is selected as Windows 10, this will still deploy to builds 1507 and 1511. If those exist in your environment, and you have PDQ Inventory Enterprise, you can create a collection to target Windows 10 1607+ computers exclusively, though there is no technical issue deploying the .reg file to builds 1507 and 1511.

9. Save the package.

10. Deploy to your Windows 10 machines.

Special thanks to Tony I. and Domenic C. for their troubleshooting and testing of this issue.