Exam SC-100 topic 1 question 22 discussion

A is the answer. https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.

LAPS - https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-dart-ransomware-approach

Implement LAPS to securely manage and randomize local administrator passwords. This ensures administrative access is provided securely and minimizes the risk of lateral movement in the event of an account compromise.

I configured that with pim too. We decided against laps, because we wanted personalized accounts in central audit with justification. Ites confusing me

You add an empty domain group to the local admins group. You use Azure PIM to provide JITA membership to that group. https://techcommunity.microsoft.com/t5/intune-customer-success/configuring-microsoft-intune-just-in-time-admin-access-with/ba-p/3843972

I'm confused, Why not "C"? PIM will allow us to apply the same, and we can give also "Just in time" Access. And it will eliminate Lateral movement

PAWs are specifically designed to minimize the risk of lateral movement by segregating administrative tasks to dedicated workstations. Admins use these workstations solely for privileged activities, reducing the chances of exposing credentials in less secure environments. This strategy helps to contain and limit the impact of compromised administrator accounts on regular workstations.

The more I read about LAPS the more confusing it is. https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-azure-active-directory

LAPS is the answer, in exam Nov 23

What about D. To provide users with administrative access to the Windows computers only when access is required, you can use Privileged Access Workstations (PAWs). PAWs are dedicated operating systems for sensitive tasks that are protected from Internet attacks and threat vectors. They separate these sensitive tasks and accounts from the daily use workstations and devices, providing strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket 1. PAWs can be used to minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised. PAWs provide a secure environment for administrative tasks that require elevated privileges. They are designed to protect against advanced persistent threats (APTs) and other sophisticated attacks.

for those check discussions don't be fool by most rated answers .

was on exam 15/06/23

On exam 5/25/2023

Agree with A, as Yarvis pointed out in the link. For endpoint administrative management, use the local administrative password solution (LAPS).

A, but only because the others don't make sense. If you ever need to remove admins from PCs in real life, do not use LAPS. Use Microsoft Intune Endpoint Privilege Management instead. It lets you decide precisely for which action users may receive an elevation, whereas LAPS will give users full local admin access until the password changes - which can take days or even weeks in reality...

Granting users access to their PC is not the typical use case for LAPS- admins use it for troubleshooting/as a break glass account. But PIM is explicitly not meant to do it. see https://www.reddit.com/r/Intune/comments/yqdiyf/azure_ad_joined_device_local_admin_via_pim/ PAW and Identity protection are not relevant so will reluctantly go with A.

Agree with A, check this link for reason - https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185