Windows LAPS (Local Administrator Password Solution) provides centralized, simple and secure management of local administrator passwords in Microsoft Intune. Each device receives its own temporary administrator password. Windows LAPS automatically manages the administrator passwords in terms of expiration and rotation. Local administrator passwords are stored in either Azure Active Directory or local Active Directory.
Windows LAPS thus offers, for example, higher protection against pass-the-hash and lateral traversal attacks.
This guide configures Windows LAPS in Microsoft Intune with local administrator passwords in Azure Active Directory.
Prerequisites and Licensing
Windows LAPS in Microsoft Intune has the following requirements:
Microsoft Intune Service Level April 2023 (2304) or newer
The following operating systems are supported for Windows LAPS:
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 – April 11 2023 Update
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
Licensing
- Azure AD Free or higher
(when using administrative units Azure AD Premium 1 or higher) - Microsoft Intune Plan 1 or higher
An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com/.
Roles
A role with the microsoft.directory/deviceLocalCredentials/password/read permission is required to retrieve the local administrator password. This permission is part of the following roles:
- Global Administrator
- Intune Administrator
- Cloud Device Administrator
Enable Windows LAPS
Windows LAPS is enabled in the Azure Portal (https://portal.azure.com).
Open Azure Active Directory > Devices > Device Settings and enable the feature Enable Azure AD Local Administrator Password Solution (LAPS)
Configure Windows LAPS
Create Intune policy
The policy for Windows LAPS is created in the Microsoft Intune admin center(https://endpoint.microsoft.com).
Open Endpoint Security > Account protection and create a new policy with Create Policy
Choose Platform Windows 10 and later and Profile Local admin password solution (Windows LAPS) then click Create
Set a name for the new policy.
Set configuration settings:
- Backup location of local administrator password
- set maximum password age before the password is rotated
– if not specified, the password will be rotated every 30 days
– for backup location Azure AD, the minimum allowed value is 1 day
– for backup location AD, the minimum allowed value is 7 day
– maximum value is 365 days - Choose account name for administrator
– if not specified, administrator is used - Select password complexity
– if not specified, large and small letters, numbers and special characters are used - Password length (recommendation: > 24 characters)
– if not specified, 8 characters are used - Select post authentication action
– if not specified, the password will be rotated and the account will be logged out - Delay until the selected action from “Post Authentication Action” (6) is executed
– if not specified, delay is set to 24 hours
– allowed values are between 0 (disabled) and 24 hours
Tags can be added according to your own specifications.
The assignment to devices can be customized here.
The selected settings are shown again for review. By clicking Create, the policy for Windows LAPS will be created.
The new policy for Windows LAPS is created immediately.
Enable Built-in Administrator Account
The local administrator account is disabled by default on every Windows device. For successful use of Windows LAPS, a configuration profile ensures that the local administrator account is enabled on the device. The configuration profile is created in the Microsoft Intune admin center (https://endpoint.microsoft.com).
Open Devices > Configuration profiles and create a new profile by clicking Create profile
Choose Platform Windows 10 and later and Profile type Templates.
Select Custom as template.
Set a name for the new profile.
The following settings enable the local administrator account:
Name: frei wählbar
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
Data type: Integer
Value: 1
The assignment to devices can be customized here.
If needed, the applicability rules can be defined.
The selected settings are shown again for review. The profile will be created by clicking Create.
The new configuration profile is created immediately.
Retrieve Windows LAPS password
There are several ways to retrieve the local administrator password of a device. The procedure for Microsoft Entra, Microsoft Azure Portal, and Microsoft Intune is described below.
Microsoft Entra
Sign in to Microsoft Entra admin center (https://entra.microsoft.com/).
Open Devices > All devices and select the device from which the local administrator password is to be displayed.
Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.
Microsoft Azure Portal
Sign in to Microsoft Azure Portal (https://portal.azure.com).
Open Azure Active Directory > Devices > All devices and select the device from which the local administrator password is to be displayed.
Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.
Microsoft Intune
Sign in to Microsoft Intune admin center (https://endpoint.microsoft.com).
Open Devices > Windows
Select the device from which the password for the local administrator is to be shown.
Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.
Who retrieved the local administrator password?
The audit logs in Microsoft Entra show which user principal name retrieved the local administrator password.
Open Microsoft Entra > Monitoring & health > Audit logs
Set filter:
- Service = Device Registration Service
- Activity = Recover device local administrator password
Open log entry of the device
The detailed audit log shows the account that displayed the local administrator password under User Principal Name in the entry Successfully recovered local credential by device id.
Retrieve Windows LAPS password restricted to a group of devices
Administrative units can be used to granularly control access to Windows LAPS passwords. The Users with the role Cloud Device Administrator get access only to this administrative unit. This ensures that the user with Windows LAPS is only allowed to retrieve the passwords of devices that are assigned to this administrative unit. The use of administrative units requires an Azure AD Premium 1 license.
Create administrative unit
The administrative unit is created in Microsoft Entra or the Azure Portal. This guide uses Microsoft Entra.
Create the administrative unit with Roles & admins > Admin units > Add.
Enter a name for the administrative unit.
Assign all users to the Cloud Device Administrator role who are allowed to retrieve the Windows LAPS passwords of the devices of this administrative unit.
Click on Create to create the administrative unit.
Assign devices to a administrative unit
Open the administrative unit in Microsoft Entra > Roles & admins > Admin units.
Click on Devices > Add devices and assign the devices.
Users with the Cloud Device Administrator role on this administrative unit are allowed to retrieve the Windows LAPS passwords of all listed devices.
Local administrator password recovery is shown for authorized devices.
Local administrator password recovery is not shown for unauthorized devices.
Retrieve Windows LAPS password history
PowerShell allows to read the password history of the local administrator account. This can be useful if a device is restored to a previous restore point and thus the current local administrator password is not valid. With PowerShell, a maximum of the last three local administrator passwords are displayed.
To be able to retrieve the Windows LAPS password history, the PowerShell cmdlet Microsoft.Graph is required.
1 | Install-Module microsoft.graph -Scope AllUsers |
Connect to Microsoft Graph and set the two permissions Device.Read.All and DeviceLocalCredential.Read.All.
1 | Connect-MgGraph -Scope "Device.Read.All","DeviceLocalCredential.Read.All" |
The Get-LapsAADPassword cmdlet displays the last three local administrator passwords.
Replace parameter -DeviceIDs with the device name.
1 | Get-LapsAADPassword -DeviceIds OMUVWSWX001 -IncludePasswords -AsPlainText -IncludeHistory |
The output shows the last three local administrator passwords (1-3) in plain text with the respective expiration date.
Rotate Windows LAPS password
Windows LAPS automatically rotates the password according to settings in the policies. If the password needs to be rotated before the maximum password age is reached, this must be done manually in the Microsoft Intune admin center (https://endpoint.microsoft.com).
Open Devices > Windows
Select the device on which the password for the local administrator is to be rotated.
In the Overview, click on the three dots and select Rotate local admin password.
Confirm the message with Yes. At the next restart Windows LAPS rotates the password on this device.
Troubleshooting
Windows LAPS stores the activities in the following logs.
Audit logs in Microsoft Intune
Microsoft Intune admin center (https://endpoint.microsoft.com) audit logs store all Windows LAPS activity.
Open Tenant administration > Audit logs > Filter
Set the filter Category to Device
Select the activity for details.
Event viewer on device
Windows LAPS activities are stored in the Event Viewer of the device.
Open Event Viewer > Application and Services Logs > Microsoft > Windows > LAPS to track the activities.
Follow me on LinkedIn and get informed about my latest posts.