LAPS changing Local Administrator Account password after Domain Join during MDT Deployment

Question

When running a MDT Deployment after the system joins to the domain and restarts it gets stuck at the auto login. States the account or password is incorrect. We have LAPS installed in our environment and it is pushed by GPO. If I then use LAPS to get the password for the systems I can then enter password from LAPS with .\administrator and the system logs in and continues the task sequence and completes. I do get the error "FAILURE (Err): 70: CreateObject(Microsoft.BDD.Utility) - Permission denied" but system works fine.

1. Join domain step has been removed from Unattend.xml a year or more ago, Recover From Domain is used at the end of the Task Sequence. Only thing after is Apply Local GPO Package. The issue is upon restart GPO applies and breaks the autologin.
2. We are aware of the practice of placing the system in a Staging OU that does not apply GPO but this would require a different IT Department to setup. I want to see if there are any other options before going this route.

I have 2 ideas I can think of but I can't seem to find any info on if it is possible.

1. command or setting so Recover From Domain will not restart the system. Technician always restarts system after deployment is finished.
2. Setting in LAPS GPO to not change Administrator password for certain time period or after a certain number of restarts.

I would appreciate any help or suggestion of any ideas i have not thought of

Answer 1

Hi, @Matthew Mattern

Thank you for posting in Microsoft Q&A forum.

You may check this article to use MDT with LAPS:

https://misartg.github.io/2022/02/08/Our-approach-to-LAPS-and-MDT.html

A similar thread:

https://learn.microsoft.com/en-us/answers/questions/1229655/mdt-and-laps

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".