Windows LAPS (Local Administrator Password Solution) provides centralized, simple, and secure management of local administrator passwords through Microsoft Intune. Each device receives its own, time-limited local administrator password. Windows LAPS independently manages the administrator passwords in terms of expiration and rotation. The passwords are stored either in Microsoft Entra ID (formerly Azure Active Directory) or in the local Active Directory.
The centralized management of all local administrator passwords simplifies control and monitoring. The time-controlled rotation of passwords significantly reduces their exposure duration. In addition, access to the stored passwords is strictly controlled, which makes unauthorized access more difficult and overall increases the security of the network environment.
This guide demonstrates how to configure Windows LAPS in Microsoft Intune to store local administrator passwords in Microsoft Entra ID.
Prerequisites and Licensing
Windows LAPS in Microsoft Intune has the following requirements:
Microsoft Intune Service Level April 2023 (2304) or newer
The following operating systems are supported for Windows LAPS:
- Windows 11 23H2
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 – April 11 2023 Update
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
Licensing
- Microsoft Entra ID Free or higher
(when using administrative units Microsoft Entra ID P1 or higher) - Microsoft Intune Plan 1 or higher
An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com/.
Roles
A role with the microsoft.directory/deviceLocalCredentials/password/read permission is required to retrieve the local administrator password. This permission is part of the following roles:
- Global Administrator
- Intune Administrator
- Cloud Device Administrator
Enable Windows LAPS
The activation of Windows LAPS is done in the Microsoft Entra admin center (https://portal.azure.com).
Open Identity > Devices > All devices > Device Settings and enable the feature Enable Microsoft Entra Local Administrator Password Solution (LAPS)
Configure Windows LAPS
Create Intune policy
The policy for Windows LAPS is created in the Microsoft Intune admin center (https://intune.microsoft.com).
Open Endpoint Security > Manage > Account protection and create a new policy with Create Policy
Choose Platform Windows 10 and later and Profile Local admin password solution (Windows LAPS) then click Create
Set a name for the new policy.
Set configuration settings:
- Backup location of local administrator password
- set maximum password age before the password is rotated
– if not specified, the password will be rotated every 30 days
– for backup location Microsoft Entra ID, the minimum allowed value is 1 day
– for backup location AD, the minimum allowed value is 7 day
– maximum value is 365 days - Choose account name for administrator
– if not specified, administrator is used - Select password complexity
– if not specified, large and small letters, numbers and special characters are used - Password length (recommendation: > 24 characters)
– if not specified, 8 characters are used - Select post authentication action
– if not specified, the password will be rotated and the account will be logged out - Delay until the selected action from “Post Authentication Action” (6) is executed
– if not specified, delay is set to 24 hours
– allowed values are between 0 (disabled) and 24 hours
Tags can be added according to your own specifications.
The assignment to devices can be customized here.
The selected settings are shown again for review. By clicking Create, the policy for Windows LAPS will be created.
The new policy for Windows LAPS is created immediately.
Enable Built-in Administrator Account
The local administrator account is disabled by default on every Windows device. For successful use of Windows LAPS, a configuration profile ensures that the local administrator account is enabled on the device. The configuration profile is created in the Microsoft Intune admin center (https://intune.microsoft.com).
Open Devices > Manage devices > Configuration > Policies and create a new profile by clicking Create > New Policy
Choose Platform Windows 10 and later and Profile type Templates.
Select Custom as template.
Set a name for the new profile.
The following settings enable the local administrator account:
Name: freely selectable
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
Data type: Integer
Value: 1
The assignment to devices can be customized here.
If needed, the applicability rules can be defined.
The selected settings are shown again for review. The profile will be created by clicking Create.
The new configuration profile is created immediately.
Retrieve Windows LAPS password
There are several ways to retrieve the local administrator password of a device. The procedure for Microsoft Entra admin center, Microsoft Azure Portal, and Microsoft Intune is described below.
Microsoft Entra
Sign in to Microsoft Entra admin center (https://entra.microsoft.com/).
Open Identity > Devices > All devices and select the device from which the local administrator password is to be displayed.
Under Local administrator password recovery > Show local administrator password the account name for the local administrator and the password are shown.
Microsoft Azure Portal
Sign in to Microsoft Azure Portal (https://portal.azure.com).
Open Microsoft Entra ID > Manage > Devices > All devices and select the device from which the local administrator password is to be displayed.
Under Local administrator password recovery > Show local administrator password the account name for the local administrator and the password are shown.
Microsoft Intune
Sign in to Microsoft Intune admin center (https://intune.microsoft.com).
Open Devices > By platform > Windows
Select the device from which the password for the local administrator is to be shown.
Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.
Who retrieved the local administrator password?
In the audit logs of Microsoft Entra, it can be clearly traced which User Principal Name had access to the local administrator password.
Open Microsoft Entra Admin Center (https://entra.microsoft.com) > Identity > Monitoring & health > Audit logs
Set filter:
- Service (1) = Device Registration Service
- Activity (2) = Recover device local administrator password
- Target (3) = corresponds to the hostname of the device. If the filter is not visible, it can be added through the Add filter option
Open log entry of the device
In the detailed audit log, the account that viewed the local administrator password is listed under the User Principal Name section.
Retrieve Windows LAPS password restricted to a group of devices
Administrative units can be used to granularly control access to Windows LAPS passwords. The Users with the role Cloud Device Administrator get access only to this administrative unit. This ensures that the user with Windows LAPS is only allowed to retrieve the passwords of devices that are assigned to this administrative unit. The use of administrative units requires an Microsoft Entra ID P1 license.
Create administrative unit
The administrative unit is created in Microsoft Entra admin center or the Azure Portal. This guide uses the Microsoft Entra admin center (https://entra.microsoft.com).
Create the administrative unit with Identity > Roles & admins > Admin units > Add.
Enter a name for the administrative unit.
Assign all users to the Cloud Device Administrator role who are allowed to retrieve the Windows LAPS passwords of the devices of this administrative unit.
Click on Create to create the administrative unit.
The administrative unit has been created.
Assign devices to a administrative unit
Open the administrative unit in Microsoft Entra Admin Center (https://entra.microsoft.com) > Identity > Roles & admins > Admin units
Click on Devices > Add devices
Assign devices to the administrative unit.
Users with the Cloud Device Administrator role on this administrative unit are allowed to retrieve the Windows LAPS passwords of all listed devices.
Local administrator password recovery is shown for authorized devices.
Local administrator password recovery is not shown for unauthorized devices.
Retrieve Windows LAPS password history
PowerShell allows to read the password history of the local administrator account. This can be useful if a device is restored to a previous restore point and thus the current local administrator password is not valid. With PowerShell, a maximum of the last three local administrator passwords are displayed.
To be able to retrieve the Windows LAPS password history, the PowerShell cmdlet Microsoft.Graph is required.
1 | Install-Module microsoft.graph -Scope AllUsers |
Connect to Microsoft Graph and set the two permissions Device.Read.All and DeviceLocalCredential.Read.All.
1 | Connect-MgGraph -Scope "Device.Read.All","DeviceLocalCredential.Read.All" |
The Get-LapsAADPassword cmdlet displays the last three local administrator passwords.
Replace parameter -DeviceIDs with the device name.
1 | Get-LapsAADPassword -DeviceIds OMUVWSWX001 -IncludePasswords -AsPlainText -IncludeHistory |
The output shows the last three local administrator passwords (1-3) in plain text with the respective expiration date.
Rotate Windows LAPS password
Windows LAPS automatically rotates the password according to settings in the policies. If the password needs to be rotated before the maximum password age is reached, this must be done manually in the Microsoft Intune admin center (https://intune.microsoft.com).
Open Devices > By platform > Windows
Select the device on which the password for the local administrator is to be rotated.
In the Overview, click on the three dots and select Rotate local admin password.
Confirm the message with Yes. At the next restart Windows LAPS rotates the password on this device.
Troubleshooting
Windows LAPS stores the activities in the following logs.
Audit logs in Microsoft Intune
All activities of Windows LAPS are stored in the audit logs of the Microsoft Intune admin center (https://intune.microsoft.com).
Open Tenant administration > Audit logs > Filter
Set the filter Category to Device and select the date range.
Select the activity for details.
Event viewer on device
Windows LAPS activities are stored in the Event Viewer of the device.
Open Event Viewer > Application and Services Logs > Microsoft > Windows > LAPS to track the activities.
Follow me on LinkedIn to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!