Intune

How to Set Up Windows LAPS with Microsoft Intune 

Topics: Intune

Have you ever made a mistake on a device and needed to get into the local administrator account to recover it? Or have you encountered an environment where all the local administrator accounts shared the same credentials? Well, look no further: Windows Local Administrator Password Solution (LAPS) has arrived to help improve those scenarios to better secure and manage those local administrator accounts. Let us dive in and learn more about Windows LAPS and how to manage it with Microsoft Intune. 

What is Windows Local Administrator Password Solution? 

Windows Local Administrator Password Solution (LAPS) is a feature in Windows that helps manage and back up the password of a local administrator account on your Microsoft Entra ID joined devices or Windows Server Active Directory-joined devices. 

Read our introduction to Windows LAPS here. You can also find our Microsoft LAPS overview here, the original LAPS solution.

Benefits of Windows Local Administrator Password Solution? 

  • Helps protect against pass-the-hash, as well as lateral traversal strikes. 
  • Helps keep your local administrator credentials unique. 
  • Allows you to sign in and recover devices that might not be accessible (network issue, etc.) 

Prerequisites 

Okay, so what do I have to buy for this to work? In this scenario, we are going to use Intune as our MDM solution to push the policy to the devices, so we will at least need to have a basic Intune subscription

Licenses Required 

  • Intune subscription – Microsoft Intune Plan 1 at a minimum (You will need this license to deploy a policy to the machine) 
  • Active Directory subscription – Azure Active Directory is free, and you can use all the features of LAPS with Microsoft Entra ID free. 

Tip: To see if your current plan includes the basic Intune subscription, take a look at https://m365maps.com/ created by Aaron Dinnage to help with any of your licensing questions. 

Where is Windows LAPS available? 

Windows LAPS is available on the following OS platforms: 

  • Windows 11 22H2 – April 11, 2023, Update and later (Pro, EDU and Enterprise) 
  • Windows 11 21H2 – April 11, 2023, Update and later (Pro, EDU and Enterprise) 
  • Windows 10 – April 11, 2023, Update and later (Pro, EDU and Enterprise) 
  • Windows Server 2022 and Windows Server Core 2022 – April 11, 2023, Update and later 
  • Windows Server 2019 – April 11, 2023, Update and later 

Enable LAPS in Microsoft Entra ID Device Settings 

First, you want to make sure you enable Microsoft Entra ID Local Administrator Password Solution (LAPS) (Preview) inside of Microsoft Entra admin center with at least the Cloud Device Administrator role. 

Go to **Microsoft Entra admin center** > Browse to Identity on the left-hand panel> click on the Devices tab and then All devices > click on Device settings > Under Local administrator settings, select Yes to Enable Microsoft Entra ID Local Administrator Password Solution (LAPS) (Preview). 

enable azure ad

Enable the Local Administrator Account 

I was running into trouble when I first tried this, I noticed my local administrator account was disabled as you can see on the event viewer. Which I learned that the local administrator account is disabled by default. So, let’s go enable it, using a Configuration Profile policy in the Intune portal. 

local event viewer

Enable Local Administrator account using Configuration profiles. 

Go to Microsoft Intune admin center > Devices > Configuration profiles > + Create Profiles > select Windows 10 and later for Platform and Settings catalog for Profile type and then click Create.

How to set up Windows LAPS with Microsoft Intune - enable LAPS csp

Add a Name and Description to your Configuration Profile policy and click Next. 

create CSP name

Click on +Add settings. 

add CSP

Search for the Local Policies Security Options category > Select Accounts Enabled Administrator Account Status and then Enable it.

settings picker CSP
How to set up Windows LAPS with Intune - edit profile

Assign to the Included groups you want. In my case I will + Add all devices. > Click Next and create to deploy policy. 

As a wise man once told me, trust but verify. Confirmed the Administrator account is Enabled

enabled local account

How to Manage Windows LAPS with Intune 

Cool! I have all the boxes check-marked. Now how do I manage Windows LAPS with Intune? 

First, you want to make sure you at least have the Intune Administrator role to apply these changes inside of your Intune environment. Once you have that set up, let’s get this show on the road. 

Let’s create a LAPS Policy inside of Intune 

  • Go to Microsoft Intune admin center > head to Endpoint Security > Account Protection > Click on + Create Policy > Set Windows 10 and later for the platform, then select Local admin password solution (Windows LAPS) (preview) for the Profile > Click Create.
  • On the Create Profile page on Basics, you can add a name for the profile. You can also add a description to the profile to give a brief summary and purpose for the policy. 
  • On Configuration settings, we will configure the settings we will apply to our Intune managed devices. 
configuration settings

Before we start pushing buttons and configuring our settings, let’s learn a little bit about what this all means on this page. 

Backup Directory – Here, we are going to tell the machine where to store the password. In my case, I want to back up the password to Microsoft Entra ID only. 

💡 You can only pick one choice where to store the password. 

Windows LAPS - backup directory

Password Age Days – In this section, we will set the password age of the local administrator before we rotate the password and store the new one in Microsoft Entra ID. In this case, the local administrator password will rotate after 30 days. 

Windows LAPS - password age days

Administrator Account Name – This setting allows you to specify the name of the managed local administrator account. If no name is specified it will use the built-in local administrator account located well-known SID. 

Windows LAPS admin account

Password Complexity – This setting will allow us to control the complexity of the managed local administrator account. In my scenario we want to make it harder for our attackers, so we will set our complexity to use Large letters + small letters + numbers + special characters. 

Windows LAPS - password complexity

Password Length – This setting will allow us to set the length for the managed local administrator account. Here by default when configured the password length is 14. 

Windows LAPS - password length

Post Authentications Actions – This setting will be used to configure what happens to the password after someone has authenticated using the local administrator account. This means after the managed local administrator password is used, run the post actions. Here I told the Post Authentication Actions to Reset the password and logoff the managed account; upon expiry of the grace period (24 hours later), the managed account password will be reset. 

Windows LAPS - authentication actions

Post Authentication Reset Delay – This setting is used to specify how long to wait after running the Post authentications actions. In my case I gave it a 24-hour grace period, after 24 hours it’s going to run the post authentication action. 

post authentication delay

Final Configuration Setting for Windows LAPS Policy 

configuration settings

We won’t make any changes on the Scope tags page > Click Next.

scope tags

In the Assignments sections, you can assign this policy to a group, All users or All devices. I will select to apply this policy to All devices. 

LAPS assignments

In the Review + create section, double check your policy to make sure it fulfills your need before creating. If it looks good go ahead and click on Create

review and create

Let’s again trust but verify that our device has received these configurations. Let’s go into our Account Protection policy and check the report. I have an Intune managed device that is called CPC-01 and it looks like it has succeeded. 

Windows LAPS report

Let’s go a little deeper and go to that device to verify locally that it has received those configurations. We can go to the registry editor and add this path to view what’s been written in the registry. 

HKLM\Software\Microsoft\Policies\LAPS 

Here we can see information such as our Password Age Days where we set it to 30, Password length where we set it to 14 and our BackupDirectory value of 1 which is Microsoft Entra ID etc. 

LAPS registry editor

How to View a Device’s Local Administrator Password 

We will try to access the managed Local Administrator password two ways with Microsoft Entra ID and the Microsoft Intune Portal. Make sure to at least have one of the following built-in roles (Global Administrator, Cloud Administrator or Intune Administrator) to access that information. 

Microsoft Entra admin center 

Go to Microsoft Entra admin center > Identity > Devices > All devices > 

Click on Local Administrator password recovery (Preview) > 

entra ID local password

Click Show local administrator password on the device you want to retrieve the local administrator password for > Click on show to view Local administrator password. 

entra ID show password

Microsoft Intune admin center 

Go to Microsoft Intune admin center > Devices > Windows

Intune LAPS password

Click on your Windows device you want to retrieve the local administrator password for > select Local admin password. 

Intune LAPS

Click on Show local administrator password > click on Show to view Local administrator password.

Intune LAPS show local admin password

Let’s put this Local Administrator Password to work on an actual device! 

Let’s run PowerShell as an administrator. 

PowerShell Run as Administrator

You’ll then view the UAC Prompt asking for administrator credentials > add .Administrator to run with the local administrator account and add the local administrator password retrieved from either Intune or Entra.

PowerShell admin login
powershell in LAPS

Completed: How to Set Up Windows LAPS with Microsoft Intune

Boom! There we go the king of jungle the administrator! 

PowerShell WHOAMI

Bonus Tip: Change Windows LAPS password on demand. 

Go to Microsoft Intune admin center > Devices > All devices > Click on your device you want to change the LAPS password > go to the 3 dots > Rotate local admin password. 

changing Windows LAPS password

Read the prompt and select Yes (At your own risk) .

rotate local admin password

Success!

rotate local admin password success

Additional Windows LAPS Posts

Back to Top