Windows LAPS (Local Administrator Password Solution) provides centralized, simple and secure management of local administrator passwords in Microsoft Intune. Each device receives its own temporary administrator password. Windows LAPS automatically manages the administrator passwords in terms of expiration and rotation. Local administrator passwords are stored in either Azure Active Directory or local Active Directory.

Windows LAPS thus offers, for example, higher protection against pass-the-hash and lateral traversal attacks.

This guide configures Windows LAPS in Microsoft Intune with local administrator passwords in Azure Active Directory.

Prerequisites and Licensing

Windows LAPS in Microsoft Intune has the following requirements:

Microsoft Intune Service Level April 2023 (2304) or newer

The following operating systems are supported for Windows LAPS:

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

Licensing

  • Azure AD Free or higher
    (when using administrative units Azure AD Premium 1 or higher)
  • Microsoft Intune Plan 1 or higher

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com/.

Roles

A role with the microsoft.directory/deviceLocalCredentials/password/read permission is required to retrieve the local administrator password. This permission is part of the following roles:

  • Global Administrator
  • Intune Administrator
  • Cloud Device Administrator

Enable Windows LAPS

Windows LAPS is enabled in the Azure Portal (https://portal.azure.com).

Open Azure Active Directory > Devices > Device Settings and enable the feature Enable Azure AD Local Administrator Password Solution (LAPS)

Configure Windows LAPS

Create Intune policy

The policy for Windows LAPS is created in the Microsoft Intune admin center(https://endpoint.microsoft.com).

Open Endpoint Security > Account protection and create a new policy with Create Policy

Choose Platform Windows 10 and later and Profile Local admin password solution (Windows LAPS) then click Create

Set a name for the new policy.

Set configuration settings:

  1. Backup location of local administrator password
  2. set maximum password age before the password is rotated
    – if not specified, the password will be rotated every 30 days
    – for backup location Azure AD, the minimum allowed value is 1 day
    – for backup location AD, the minimum allowed value is 7 day
    – maximum value is 365 days
  3. Choose account name for administrator
    – if not specified, administrator is used
  4. Select password complexity
    – if not specified, large and small letters, numbers and special characters are used
  5. Password length (recommendation: > 24 characters)
    – if not specified, 8 characters are used
  6. Select post authentication action
    – if not specified, the password will be rotated and the account will be logged out
  7. Delay until the selected action from “Post Authentication Action” (6) is executed
    – if not specified, delay is set to 24 hours
    – allowed values are between 0 (disabled) and 24 hours

Tags can be added according to your own specifications.

The assignment to devices can be customized here.

The selected settings are shown again for review. By clicking Create, the policy for Windows LAPS will be created.

The new policy for Windows LAPS is created immediately.

Enable Built-in Administrator Account

The local administrator account is disabled by default on every Windows device. For successful use of Windows LAPS, a configuration profile ensures that the local administrator account is enabled on the device. The configuration profile is created in the Microsoft Intune admin center (https://endpoint.microsoft.com).

Open Devices > Configuration profiles and create a new profile by clicking Create profile

Choose Platform Windows 10 and later and Profile type Templates.
Select Custom as template.

Set a name for the new profile.

The following settings enable the local administrator account:

Name: frei wählbar
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
Data type: Integer
Value: 1

The assignment to devices can be customized here.

If needed, the applicability rules can be defined.

The selected settings are shown again for review. The profile will be created by clicking Create.

The new configuration profile is created immediately.

Retrieve Windows LAPS password

There are several ways to retrieve the local administrator password of a device. The procedure for Microsoft Entra, Microsoft Azure Portal, and Microsoft Intune is described below.

Microsoft Entra

Sign in to Microsoft Entra admin center (https://entra.microsoft.com/).

Open Devices > All devices and select the device from which the local administrator password is to be displayed.

Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.

Microsoft Azure Portal

Sign in to Microsoft Azure Portal (https://portal.azure.com).

Open Azure Active Directory > Devices > All devices and select the device from which the local administrator password is to be displayed.

Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.

Microsoft Intune

Sign in to Microsoft Intune admin center (https://endpoint.microsoft.com).

Open Devices > Windows

Select the device from which the password for the local administrator is to be shown.

Under Local admin password > Show local administrator password the account name for the local administrator and the password are shown.

Who retrieved the local administrator password?

The audit logs in Microsoft Entra show which user principal name retrieved the local administrator password.

Open Microsoft Entra > Monitoring & health > Audit logs
Set filter:

  • Service = Device Registration Service
  • Activity = Recover device local administrator password

Open log entry of the device

The detailed audit log shows the account that displayed the local administrator password under User Principal Name in the entry Successfully recovered local credential by device id.

Retrieve Windows LAPS password restricted to a group of devices

Administrative units can be used to granularly control access to Windows LAPS passwords. The Users with the role Cloud Device Administrator get access only to this administrative unit. This ensures that the user with Windows LAPS is only allowed to retrieve the passwords of devices that are assigned to this administrative unit. The use of administrative units requires an Azure AD Premium 1 license.

Create administrative unit

The administrative unit is created in Microsoft Entra or the Azure Portal. This guide uses Microsoft Entra.

Create the administrative unit with Roles & admins > Admin units > Add.

Enter a name for the administrative unit.

Assign all users to the Cloud Device Administrator role who are allowed to retrieve the Windows LAPS passwords of the devices of this administrative unit.

Click on Create to create the administrative unit.

Assign devices to a administrative unit

Open the administrative unit in Microsoft Entra > Roles & admins > Admin units.

Click on Devices > Add devices and assign the devices.

Users with the Cloud Device Administrator role on this administrative unit are allowed to retrieve the Windows LAPS passwords of all listed devices.

Local administrator password recovery is shown for authorized devices.

Local administrator password recovery is not shown for unauthorized devices.

Retrieve Windows LAPS password history

PowerShell allows to read the password history of the local administrator account. This can be useful if a device is restored to a previous restore point and thus the current local administrator password is not valid. With PowerShell, a maximum of the last three local administrator passwords are displayed.

To be able to retrieve the Windows LAPS password history, the PowerShell cmdlet Microsoft.Graph is required.

Connect to Microsoft Graph and set the two permissions Device.Read.All and DeviceLocalCredential.Read.All.

The Get-LapsAADPassword cmdlet displays the last three local administrator passwords.
Replace parameter -DeviceIDs with the device name.

The output shows the last three local administrator passwords (1-3) in plain text with the respective expiration date.

Rotate Windows LAPS password

Windows LAPS automatically rotates the password according to settings in the policies. If the password needs to be rotated before the maximum password age is reached, this must be done manually in the Microsoft Intune admin center (https://endpoint.microsoft.com).

Open Devices > Windows

Select the device on which the password for the local administrator is to be rotated.

In the Overview, click on the three dots and select Rotate local admin password.

Confirm the message with Yes. At the next restart Windows LAPS rotates the password on this device.

Troubleshooting

Windows LAPS stores the activities in the following logs.

Audit logs in Microsoft Intune

Microsoft Intune admin center (https://endpoint.microsoft.com) audit logs store all Windows LAPS activity.

Open Tenant administration > Audit logs > Filter

Set the filter Category to Device

Windows LAPS in Microsoft Intune - Audit Logs Filter Settings

Select the activity for details.

Event viewer on device

Windows LAPS activities are stored in the Event Viewer of the device.

Open Event Viewer > Application and Services Logs > Microsoft > Windows > LAPS to track the activities.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn