Windows LAPS is a tool developed by Microsoft to manage local administrator passwords in Windows environments. It allows administrators to create and manage random and unique passwords for local administrator accounts on Windows computers. In addition to managing local administrator passwords, Windows LAPS also offers the option of securely storing the generated passwords in Entra ID (former Azure Active Directory aka Azure AD).
In this article I will show you how to configure Entra ID and the required policies for Windows LAPS in Intune.

Table of Contents

Initial setup (German only)

Configuration in Entra ID

In Entra you only have to activate the feature with one click.
You do this under:
Entra / Azure AD
Devices > Device settings:
"Enable Azure AD Local Administrator Password Solution (LAPS)" > yes

Azure AD, Windows LAPS aktivieren

In the device overview in Azure AD / Entra ID and Intune you will see the menu item "Local administrator password recovery" before activation. However, it will remain empty and will not be filled when you create a policy.

Create your own LAPS account (preferred)

LAPS offers increased security by managing frequently changing passwords for local administrator accounts. However, by default, it often targets the built-in Administrator account (identified by a well-known Security Identifier or SID). While this works, creating a separate local administrator account specifically for LAPS provides additional advantages:

  • Reduced Attack Surface: The built-in Administrator account is a prime target for attackers. Disabling it and using a dedicated LAPS account reduces the attack surface and potential compromise.
  • Improved Privilege Management: Since the dedicated LAPS account's sole purpose is for administrative tasks managed by LAPS, it strengthens privilege management. This minimizes the risk of unauthorized access attempts on the built-in Administrator account.
  • Clear Separation of Duties: Having a separate account for LAPS reinforces the principle of least privilege. It separates administrative tasks managed by LAPS from other potential uses of the built-in Administrator account.
  • Flexibility in Account Management: A dedicated LAPS account allows you to manage its permissions and disable it if necessary, without affecting the built-in Administrator account.

Creating a dedicated local administrator account for LAPS is a simple process that can be done through a simple PowerShell script in Intune (Platform or Remediation Script). This small investment significantly enhances your overall security posture.

Here is the Template for the Platform Scirpt:

Create Local LAPS Account @GitHub

Activate and rename local administrator

In order not to depend on the administrator's default name, we'll rename it. In the same turn we also activate it. However, we do not set a password, as this is then taken over by LAPS.

To do this, we create a new profile based on the "Settings Catalog:
Intune > Devices > Windows > Configuration profiles
+ Create profiles

Intune, Settings catalog
Intune, profile name and description

From the settings we add the following two:
- Accounts Rename Administrator Account
- Accounts Enable Administrator Account Status

The quickest way to find this is with the category "Local Policies Security Options"
Here we activate the account and assign the desired name.

Intune, Local Policies Security Options
Intune, rename and activate Admin

When assigning, it makes sense to do this on a test group first. But you are free here, it is simply important that these settings are distributed to all devices that will receive the LAPS policy in the next step.

Windows LAPS Policy in Intune

Now that you've enabled Windows LAPS in Entra ID and customized the on-premises admin, create a policy in the Microsoft Intune admin center. With this guideline you define, among other things, the complexity and cycle of the passwords.

It is created in Intune under:
Endpoint security > Account protection
+ Create Policy (Windows 10 and later, Local admin password solution (Windows LAPS))

Intune, LAPS Policy

In the settings you can now select the behavior of the account and the storage location of the password:

Intune, LAPS configuration

Show LAPS passwords

The passwords generated by Windows LAPS, which are stored in Entra ID / Azure AD, can be viewed in various ways. Below I will go into the ways via Intune and Entra.

It is also possible to read the passwords via PowerShell Graph API. You can find a post about this on Microsoft Learn: Get started with Windows LAPS and Azure Active Directory | Microsoft Learn

LAPS passwords in Intune

In Intune you can copy/view the passwords on any Windows object for which LAPS is configured.

  • Devices > Windows > Select a device
    > Local admin password
Intune, retrieve LAPS password

LAPS passwords in Entra / Azure AD

In Entra and in Azure AD you have a nice overview of all devices / passwords.
You can find these at:

  • Devices > Local administrator password recovery
Entra, retrieve LAPS password

Manually rotate password

If you don't want to wait until a password expires and rotate it beforehand, you can do this either via Intune or PowerShell.

In Intune it works on any device, simply via "Device Action".
To do this, select the device in the overview and click on "Rotate local admin password" and then on "Yes".

Intune, Rotate local admin password

Summary

Having Windows LAPS now work cloud-native in Entra ID / Azure AD and with Intune is great. I've waited a long time for this. The first experiences are very good and I am sure that many organizations will adapt this functionality. The fact that the local administrator has to be configured separately is a bit ugly, but fortunately easy to handle.

Leave a Reply

Your email address will not be published. Required fields are marked *

Florian Salzmann
Leading Expert at UMB AG

Stay in the Loop with My Newsletter!