Windows LAPS (Local Administrator Password Solution) provides centralized, simple, and secure management of local administrator passwords through Microsoft Intune. Each device receives its own, time-limited local administrator password. Windows LAPS independently manages the administrator passwords in terms of expiration and rotation. The passwords are stored either in Microsoft Entra ID (formerly Azure Active Directory) or in the local Active Directory.
The centralized management of all local administrator passwords simplifies control and monitoring. The time-controlled rotation of passwords significantly reduces their exposure duration. In addition, access to the stored passwords is strictly controlled, which makes unauthorized access more difficult and overall increases the security of the network environment.
This guide demonstrates how to configure Windows LAPS in Microsoft Intune to store local administrator passwords in Microsoft Entra ID.
Prerequisites and Licensing
Operating Systems
The following fully patched operating systems support Windows LAPS:
- Windows 11: Current supported version (recommended: Version 24H2, as it offers support for automatic administrator account management)
- Windows 10: Current supported version
- Windows Server 2022
- Windows Server 2019
Licensing
- Microsoft Entra ID Free or higher
(when using administrative units Microsoft Entra ID P1 or higher) - Microsoft Intune Plan 1 or higher
An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com/.
Roles
A role with the microsoft.directory/deviceLocalCredentials/password/read permission is required to retrieve the local administrator password. This permission is part of the following roles:
- Global Administrator
- Intune Administrator
- Cloud Device Administrator
Enable Windows LAPS
The activation of Windows LAPS is done in the Microsoft Entra admin center (https://portal.azure.com).
Open Identity > Devices > All devices > Device Settings and enable the feature Enable Microsoft Entra Local Administrator Password Solution (LAPS)
Configure Windows LAPS
Create Intune policy
The policy for Windows LAPS is created in the Microsoft Intune admin center (https://intune.microsoft.com).
This guide leverages the features for automatic administrator account management and requires Windows 11 24H2.
Open Endpoint Security > Manage > Account protection and create a new policy with Create Policy
Select Platform Windows (1), Profile Local admin password solution (Windows LAPS) (2) create the profile with Create (3).
Name the profile (e.g., WCP_LAPS) and click Next.
Configuring Windows LAPS:
The following Windows LAPS configuration serves as a suggestion and can be customized and extended as needed.
| Setting | Value |
| Backup Directory | Backup the password to Azure AD only |
| Password Age Days | 30 |
| Administrator Account Name | Not Configured |
| Password Complexity | Passphrase (short words with unique prefixes) |
| Passphrase Length | 6 |
| Password Length | Not Configured |
| Post Authentication Actions | Reset the password, logoff the managed account, and terminate any remaining processes… |
| Post Authentication Reset Delay | 24 |
| Automatic Account Management Enabled | The target account will be automatically managed |
| Automatic Account Management Enable Account | The target account will be enabled |
| Automatic Account Management Randomize Name | The name of the target account will be use a random numeric suffic |
| Automatic Account Management Target | Manage a new custom administrator account |
| Automatic Account Management Name Or Prefix | ccladm |
Create custom scope tags based on individual requirements.
Assignment to devices can be customized according to specific requirements.
Review the profile settings and complete the creation by clicking Save.
After a short time, the new profile for Windows LAPS is created.
Retrieve Windows LAPS password
There are several ways to retrieve the local administrator password of a device. The procedure for Microsoft Entra admin center, Microsoft Azure Portal, and Microsoft Intune is described below.
Microsoft Entra
Sign in to Microsoft Entra admin center (https://entra.microsoft.com/).
Open Identity > Devices > All devices and select the device from which the local administrator password is to be displayed.
Under Local administrator password recovery > Show local administrator password the account name for the local administrator and the password are shown.
Microsoft Azure Portal
Sign in to Microsoft Azure Portal (https://portal.azure.com).
Open Microsoft Entra ID > Manage > Devices > All devices and select the device from which the local administrator password is to be displayed.
Under Local administrator password recovery > Show local administrator password the account name for the local administrator and the password are shown.
Microsoft Intune
Sign in to Microsoft Intune admin center (https://intune.microsoft.com).
Open Devices > By platform > Windows
Select the device from which the password for the local administrator is to be shown.
Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.
Who retrieved the local administrator password?
In the audit logs of Microsoft Entra, it can be clearly traced which User Principal Name had access to the local administrator password.
Open Microsoft Entra Admin Center (https://entra.microsoft.com) > Identity > Monitoring & health > Audit logs
Set filter:
- Service (1) = Device Registration Service
- Activity (2) = Recover device local administrator password
- Target (3) = corresponds to the hostname of the device. If the filter is not visible, it can be added through the Add filter option
Open log entry of the device
In the detailed audit log, the account that viewed the local administrator password is listed under the User Principal Name section.
Retrieve Windows LAPS password restricted to a group of devices
Administrative units can be used to granularly control access to Windows LAPS passwords. The Users with the role Cloud Device Administrator get access only to this administrative unit. This ensures that the user with Windows LAPS is only allowed to retrieve the passwords of devices that are assigned to this administrative unit. The use of administrative units requires an Microsoft Entra ID P1 license.
Create administrative unit
The administrative unit is created in Microsoft Entra admin center or the Azure Portal. This guide uses the Microsoft Entra admin center (https://entra.microsoft.com).
Create the administrative unit with Identity > Roles & admins > Admin units > Add.
Enter a name for the administrative unit.
Assign all users to the Cloud Device Administrator role who are allowed to retrieve the Windows LAPS passwords of the devices of this administrative unit.
Click on Create to create the administrative unit.
The administrative unit has been created.
Assign devices to a administrative unit
Open the administrative unit in Microsoft Entra Admin Center (https://entra.microsoft.com) > Identity > Roles & admins > Admin units
Click on Devices > Add devices
Assign devices to the administrative unit.
Users with the Cloud Device Administrator role on this administrative unit are allowed to retrieve the Windows LAPS passwords of all listed devices.
Local administrator password recovery is shown for authorized devices.
Local administrator password recovery is not shown for unauthorized devices.
Retrieve Windows LAPS password history
PowerShell allows to read the password history of the local administrator account. This can be useful if a device is restored to a previous restore point and thus the current local administrator password is not valid. With PowerShell, a maximum of the last three local administrator passwords are displayed.
To be able to retrieve the Windows LAPS password history, the PowerShell cmdlet Microsoft.Graph is required.
1 | Install-Module microsoft.graph -Scope AllUsers |
Connect to Microsoft Graph and set the two permissions Device.Read.All and DeviceLocalCredential.Read.All.
1 | Connect-MgGraph -Scope "Device.Read.All","DeviceLocalCredential.Read.All" |
The Get-LapsAADPassword cmdlet displays the last three local administrator passwords.
Replace parameter -DeviceIDs with the device name.
1 | Get-LapsAADPassword -DeviceIds OMUVWSWX001 -IncludePasswords -AsPlainText -IncludeHistory |
The output shows the last three local administrator passwords (1-3) in plain text with the respective expiration date.
Rotate Windows LAPS password
Windows LAPS automatically rotates the password according to settings in the policies. If the password needs to be rotated before the maximum password age is reached, this must be done manually in the Microsoft Intune admin center (https://intune.microsoft.com).
Open Devices > By platform > Windows
Select the device on which the password for the local administrator is to be rotated.
In the Overview, click on the three dots and select Rotate local admin password.
Confirm the message with Yes. At the next restart Windows LAPS rotates the password on this device.
Troubleshooting
Windows LAPS stores the activities in the following logs.
Audit logs in Microsoft Intune
All activities of Windows LAPS are stored in the audit logs of the Microsoft Intune admin center (https://intune.microsoft.com).
Open Tenant administration > Audit logs
Set the filter Category (1) to Device and select the date range (2).
Select the activity for details.
Event viewer on device
Windows LAPS activities are stored in the Event Viewer of the device.
Open Event Viewer > Application and Services Logs > Microsoft > Windows > LAPS to track the activities.
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
