How to Manage Windows LAPS with Intune

Windows Local Administrator Password Solution – Windows LAPS is a free tool from Microsoft that allows you to manage and rotate local admin passwords on Windows devices. Microsoft Intune can be used to manage and rotate local admin password using Windows LAPS. By default, local administrator passwords on Windows devices are the same across all devices, which can be a security risk. Windows LAPS is now built-in with below OS version installed April 2023 Updates.

• Windows 11 22H2
• Windows 11 21H2
• Windows 10
• Windows Server 2022
• Windows Server 2019

Windows LAPS does not require installation of Legacy Microsoft LAPS. You can fully use all features without installing or referring to Microsoft legacy LAPS. In this blog post, we will understand how to use Microsoft Intune & windows LAPS to manage and rotate local admin password for windows devices.

You can use Microsoft Intune Endpoint security policies for account protection to manage LAPS on devices that have enrolled with Intune.

Windows LAPS with Microsoft Intune support is available in public preview since April 2023.

Intune policies can:

• Enforce password requiremetns for local admin accounts
• Backup local admin account from device to your Active Directory or Azure AD
• Schedule rotation of those account password to help keep them safe
• Enforce passwored requirements for local admin accounts

You can also view details about the managed local admin accounts in the Intune Admin center, and manually rotate their account passwords outside of a scheduled rotation.

The following permisisons are required to manage LAPS policy.

Create and access LAPS policy: By default Endpoint Security Manager built-in role includes necessary permissions to manage LAPS policy. For a custom role, your account must be assigned sufficient permisison from the Intune RBAC category for Security baseline.

Rotate local Administrator password : To use the Intune admin center to view or rotate a devices local admin account password, your account must be assigned the following Intune permissions:

• Manage Device: Read
• Organization: Read
• Remote tasks: Rotate Local Admin Password

Retrieve local Administrator password : To view password details, your account must have one of the following Azure Active Directory permissions:

• microsoft.directory/deviceLocalCredentials/password/read
• microsoft.directory/deviceLocalCredentials/standard/read

Related Post: How to Create Custom RBAC Role in Intune for LAPS Password Administrator

Before you start managing Local administrator password using intune, the LAPS settings need to be enabled in Azure Active Directory. To enable the settings, go to Azure Active Directory > Device > Device Settings and turn on “Enable Azure AD Local Administrator Password Solution (LAPS) (Preview)“.

Video Tutorial – Manage Local Admin Password with Intune & Windows LAPS

Step 1: To create a policy in Microsoft Intue, navigates to Endpoint Security / Account Protection, click on Create policy and select following

Platform: Windows 10 and later

Profile: Local admin password solutions (Windows LAPS)

Step 2: On the Create Profile page, enter a policy name and click on Next.

Step 3: On the Configuration Settings page, configure the settings for LAPS.

• Backup Directory: Select Backup the password to Azure AD only. Following options are available.
  • Backup the password to Azure AD only
  • Disabled (Password will not be backuped up)
  • Backup the password to Azure AD only
  • Backup the password to Active Directory only
  • Not Configured
• Password Age Days: Enter the number of days you want to roate Windows local admin password. The default value is 30 days.
• Administrator Account Name: Enable the setting and enter local admin password which you want to manage with LAPS. If you won’t configure this setting then built-in local administrator account will be managed by LAPS.
• Password complexity: Define the password complexity which you want to enforce on Intune managed devices.
  • Large letters + small letters + numbers + special characters
  • Large letters
  • Large leters + small letters
  • Large letters + small letters +numbers + special characters
  • Not configured
• Password length: Define password length which you want to enforce on managed devices
• Post Authentication Action: Configure post authenication action which you want to enfore post user authentication
  • Reset password: upon expiry of the grace period, the managed account password will be reset.
  • Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon session using managed account will be terminated.
  • Rest the password and reboot: upon expiry of the grace period, the managed account password will be reset and managed device will be immediately rebooted.

Step 4: On the Assignment page, assign the policy to All Devices or AAD group as per your requirements. You can also use Assigment filters to further narrow down deployment scope of policy.

Step 6: On the Review + create page, review the details and click on Create to proceed with policy creation.

You can review the policy assignment status from Endpoint security / Account protection blade. To see the policy assignment status, simply navigate to Endpoint security / Account protection and select the policy you created for LAPS and click on View report to see the compliance status.

You can also check the Device assignment status and Per Setting Status.

Retrieve Local Admin Password for a Device

The local admin account password for managed devices will be backed up in Azure Active Directory. You can view the password for a device from Microsoft Intune console using below steps.

• In the Intune console, navigates to Devices / All Devices and select the device for which you need to retrieve local admin password
• Select Local Admin Password from left pane
• Click on Show local administrator password link

Windows LAPS processes the currently active policy on a periodic basis (every hour). To avoid waiting after you apply the policy, you can run the Invoke-LapsPolicyProcessing PowerShell cmdlet. This is usally helpful in testing or troubleshooting as you can force the policy to run immediately.

The Windows LAPS event logs can be found in Event Viewer under Event Viewer > Application and Services Log > Microsoft > Windows > LAPS node.

The below event log shows that LAPS successfully updated the local admin account with the new password.

The below event log shows that LAPS successfully updated Azure Active Directory with the new password.

There may be an ad-hoc requirements to rotate local admin password / reset local admin password for a device. The situation may arise due to disclosure of password to unauthorized users, a security breach or other reasons. You can follow the below steps to rotate password for an Intune managed device.

• Navigate to Devices > Windows > Windows Devices and select the Windows device for which you want to rotate the password
• Click on three dots icon at right side and select Rotate local admin password
• Click on Yes on confirmation dialog box.

• Block USB Device Access with Exceptions | Microsoft Intune
• Deny Write Access to USB Devices Using Intune Catalog Settings
• Manage Windows Local Administrator Password with Intune & Windows LAPS
• Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune
• How to manage the local administrators group on Azure AD joined devices | Intune