Windows LAPS is a tool developed by Microsoft to manage local administrator passwords in Windows environments. It allows administrators to create and manage random and unique passwords for local administrator accounts on Windows computers. In addition to managing local administrator passwords, Windows LAPS also offers the option of securely storing the generated passwords in Entra ID (former Azure Active Directory aka Azure AD).
In this article I will show you how to configure Entra ID and the required policies for Windows LAPS in Intune.
Table of Contents
- Initial setup (German only)
- Configuration in Entra ID
- Activate and rename local administrator
- Windows LAPS Policy in Intune
- Show LAPS passwords
- Manually rotate password
- Summary
Initial setup (German only)
Configuration in Entra ID
In Entra you only have to activate the feature with one click.
You do this under:
Entra / Azure AD
Devices > Device settings:
"Enable Azure AD Local Administrator Password Solution (LAPS)" > yes
In the device overview in Azure AD / Entra ID and Intune you will see the menu item "Local administrator password recovery" before activation. However, it will remain empty and will not be filled when you create a policy.
Activate and rename local administrator
In order not to depend on the administrator's default name, we'll rename it. In the same turn we also activate it. However, we do not set a password, as this is then taken over by LAPS.
To do this, we create a new profile based on the "Settings Catalog:
Intune > Devices > Windows > Configuration profiles
+ Create profiles
From the settings we add the following two:
- Accounts Rename Administrator Account
- Accounts Enable Administrator Account Status
The quickest way to find this is with the category "Local Policies Security Options"
Here we activate the account and assign the desired name.
When assigning, it makes sense to do this on a test group first. But you are free here, it is simply important that these settings are distributed to all devices that will receive the LAPS policy in the next step.
Windows LAPS Policy in Intune
Now that you've enabled Windows LAPS in Entra ID and customized the on-premises admin, create a policy in the Microsoft Intune admin center. With this guideline you define, among other things, the complexity and cycle of the passwords.
It is created in Intune under:
Endpoint security > Account protection
+ Create Policy (Windows 10 and later, Local admin password solution (Windows LAPS))
In the settings you can now select the behavior of the account and the storage location of the password:
Show LAPS passwords
The passwords generated by Windows LAPS, which are stored in Entra ID / Azure AD, can be viewed in various ways. Below I will go into the ways via Intune and Entra.
It is also possible to read the passwords via PowerShell Graph API. You can find a post about this on Microsoft Learn: Get started with Windows LAPS and Azure Active Directory | Microsoft Learn
LAPS passwords in Intune
In Intune you can copy/view the passwords on any Windows object for which LAPS is configured.
- Devices > Windows > Select a device
> Local admin password
LAPS passwords in Entra / Azure AD
In Entra and in Azure AD you have a nice overview of all devices / passwords.
You can find these at:
- Devices > Local administrator password recovery
Manually rotate password
If you don't want to wait until a password expires and rotate it beforehand, you can do this either via Intune or PowerShell.
In Intune it works on any device, simply via "Device Action".
To do this, select the device in the overview and click on "Rotate local admin password" and then on "Yes".
Summary
Having Windows LAPS now work cloud-native in Entra ID / Azure AD and with Intune is great. I've waited a long time for this. The first experiences are very good and I am sure that many organizations will adapt this functionality. The fact that the local administrator has to be configured separately is a bit ugly, but fortunately easy to handle.
