Unlocking Windows LAPS: Modern Management with Microsoft Intune
byinformation technology•
0
Comprehensive Guide to Windows LAPS Configuration and Deployment Using Microsoft Intune
Managing local administrator passwords across hundreds or thousands of Windows devices can be a nightmare for IT teams. The old approach of using the same password on every machine creates serious security risks, while manually managing unique passwords is impossible at scale
Windows Local Administrator Password Solution (LAPS) resolves the issue by automatically generating, storing, and rotating unique passwords for local administrator accounts on each device. LAPS automatically changes these passwords on a schedule you control - weekly, monthly, or whatever works for your security policies. When you LAPS with Microsoft Intune, you get a powerful cloud-based management system that works perfectly for modern, managed organisations
Why Use Windows LAPS in an Enterprise or Large Environment?
Shared Passwords Across Devices
Manual Password Management
Security Vulnerabilities
Compliance Requirements
Benefits of Windows LAPS
Implementing Windows LAPS in an enterprise environment offers several key benefits:
Enhanced Security
Automated Password Management
Secure Storage
Scalability
Audit and Compliance
Remote Accessibility
Device Recovery
No Additional Licensing Costs
Prerequisites for Windows LAPS with Intune
Before configuring and deploying Windows LAPS, ensure the following prerequisites are met:
Supported Operating Systems:
Microsoft Intune Subscription: A minimum of Microsoft Intune Plan 1 is required to deploy LAPS policies.
Microsoft Entra ID
Role-Based Access Control (RBAC) Permissions
Local Administrator Account
Device Enrollment
Legacy LAPS Removal
How to Configure Windows LAPS in Microsoft Intune
Configuring Windows LAPS involves enabling the feature in Microsoft Entra ID and creating a policy in Intune. Follow these steps:
Select:Platform: Windows 10 and laterProfile: Local admin password solution (Windows LAPS)
ClickCreate.
Basics: Enter aName(e.g., "Windows LAPS Policy") andDescription(optional but recommended). ClickNext.
Configuration Settings
4Backup Directory:You can chooseAzure Active DirectoryorActive Directorybased on your company environment. For cloud-based management,select Entra ID.
7Password Age Days: Set the frequency of password rotation (Example: 30, or 90 days). The default is 30 days.
Administrator Account Name: Specify the account to manage (Example: "lapsadmin") orblank to manage the built-in Administrator account(identified by its well-known SID).
Password Complexity: Choose a complexity level (Example: large letters, small letters, numbers, and special characters).
Password Length: Set the password length (minimum 8, default 14) with your organisation's compatibility with the device's local password policy.
Post-Authentication Actions: Define actions to take after password use (Example: reset the password, log off, or power down). Set the grace period (Example: 24 hours).
Automatic Account ManagementEnabled(Windows 11 24H2 and later): This feature enables the management of account creation, enabling/disabling, or randomisation of account names. Employ these parameters to define if automatic account management is working and activated. In case this enablement is turned on, the target account will be automatically managed. In case of turning off, the target account will stay untouched. By default, this value will remain False.
Automatic Account Management Enable:Set Up Configuration determines if the automatic management account is active or inactive. Selecting this option means the target account will be active. Inactive means the target account will be inactive. If left out, the default setting for this configuration is False.
Automatic Account Management Randomize Name -Use this parameter to specify whether a random numeric suffix is added to the name of the automatically maintained account whenever the password is updated. If this parameter is enabled, a random numeric suffix will be added to the target account's name. If this parameter is turned off, the target account's name will not contain a random numeric suffix. If this argument is not supplied, it defaults to False.
Automatic Account Management Target -Use this parameter to define which account is automatically managed. The following settings are acceptable: 0=The built-in administrator account will be utilized. 1=A newly created account will be administered by Windows LAPS. If this parameter is not supplied, it will default to 1.
Automatic Account Management Name Or Prefix -Use this parameter to modify the name or prefix of the managed local administrator account. If provided, the value will be used as the name or name prefix of the managed account. If this is not supplied, "lapsadmin" will be used by default.
ClickNext.
Scope Tags: Add scope tags if applicable, then clickNext.
Assignments: Assign the policy to an Entra ID security group containing devices or users. All Devices UseIncludeif you need. ClickNext.
Review + Create: Review settings and clickCreateto deploy the policy.
How to Check LAPS Passwords in the Intune Admin Center
Sign in to intune.microsoft.com
Go toDevices > All Devices.
Select the target device.
UnderMonitor, clickLocal admin password.
ClickShow local administrator passwordto view or copy the password. The pane displays: Account name, Security ID, Passwor,d Last password rotation Next password rotation
To manually rotate the password, click the (...) in the then show section.Rotate the local admin password. The device must be online, and rotation completes after a reboot.
Using Microsoft Entra Admin Center
Sign in to enter.microsoft.com.
Navigate toDevices > All Devices > Local administrator password recovery.
How to Monitor Windows LAPS on the Client Side
Monitoring LAPS deployment ensures policies are applied correctly and passwords are managed as expected.
Event Log Monitoring
LAPS events are logged in the Windows Event Viewer under:
Path: Applications and Services Logs > Microsoft > Windows > LAPS > Operational
