Set up Windows LAPS with Intune: A Step-by-Step Guide

In this article, we will show you how to implement LAPS with Intune and explore the benefits it can bring to your organization. We will cover step-by-step instructions for setting up LAPS with Intune and managing local administrator passwords across your Windows devices.

If you are looking to enhance the security of your Windows devices, implementing LAPS (Local Administrator Password Solution) with Intune may be the solution you need. LAPS is a free Microsoft tool that helps organizations manage local administrator passwords on Windows devices, helping to prevent unauthorized access.

Intune, on the other hand, is a cloud-based service that simplifies the management of devices and applications in an organization. By combining LAPS with Intune, you can effectively strengthen your overall Windows security strategy.

What is LAPS (Local Administrator Password Solution)?

LAPS, which stands for Local Administrator Password Solution, is a free tool that Microsoft offers to assist organizations in managing the local administrator passwords on their Windows devices. It addresses the common security vulnerability of having the same local administrator password across multiple devices, making it easier for attackers to gain unauthorized access.

LAPS works by automatically generating unique passwords for each device and storing them securely in Active Directory (cloud and on-premises). These passwords are then periodically changed, ensuring that even if one device is compromised, the impact is limited. With LAPS, organizations can have greater control over their Windows security by enforcing strong and unique passwords for their devices’ local administrators.

Implementing Windows LAPS with Intune allows for centralized management of local administrator passwords across all devices, making it easier to maintain a secure environment and reduce the risk of unauthorized access.

Benefits of Implementing LAPS with Intune

Integrating LAPS with Intune brings several benefits to organizations looking to enhance their Windows security strategy. Here are some key advantages:

1. Improved Security: By implementing LAPS, organizations can ensure that each device has a unique, complex local administrator password. This reduces the risk of attackers gaining unauthorized access and helps maintain a more secure environment.

2. Centralized Management: Microsoft Intune provides a centralized platform for managing devices and applications in an organization. By integrating LAPS with Intune, administrators can easily manage local administrator passwords across all Windows devices, simplifying the overall management process.

3. Increased Efficiency: With LAPS and Intune working together, administrators can automate the process of changing local administrator passwords. This saves time and resources that would otherwise be spent manually changing passwords on each device.

4. Compliance and Auditing: LAPS provides a detailed audit trail of password changes, ensuring compliance with security policies and regulations. Integration with Intune allows for easy monitoring and reporting on local administrator password changes, helping organizations meet their compliance requirements.

5. No LAPS Client Required: If you are going to configure LAPS with Intune, there is no need to deploy the LAPS agent as it is included with the latest version of Windows OS.

Implementing LAPS with Intune can have a significant impact on the security and efficiency of your Windows devices. Let’s dive into the details of how to set it up.

Prerequisites

If you are setting up the LAPS for your Intune tenant for the first time, you should be aware that it is a one-time process with certain requirements. The following are the requirements for Intune to support Windows LAPS in your tenant:

1. Licensing requirements

• Intune subscription: Microsoft Intune Plan 1, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.
• Microsoft Entra ID: Microsoft Entra ID Free, which is the free version of Microsoft Entra ID that’s included when you subscribe to Intune. With Microsoft Entra ID Free, you can use all the features of LAPS.

2. Active Directory Support

Intune policy for Windows LAPS can configure a device to back up a local administrator account and password to one of the following directory types:

• Cloud: Cloud supports backup to your Microsoft Entra ID for the following scenarios: Microsoft Entra hybrid join and Microsoft Entra join.
• On-Premises: On-premises supports backing up to Windows Server Active Directory (on-premises Active Directory).

3. Operating system updates

The following Windows OS platforms with the specified update or later installed are supported for implementing Windows LAPS.

• Windows 11 22H2 – April 11 2023 Update
• Windows 11 21H2 – April 11 2023 Update
• Windows 10 20H2, 21H2 and 22H2 – April 11 2023 Update
• Windows Server 2022 – April 11 2023 Update
• Windows Server 2019 – April 11 2023 Update

High-level steps to set up Windows LAPS with Intune

The following high-level steps are involved when you set up Windows LAPS with Microsoft Intune:

1. Enable LAPS in Microsoft Entra
2. Enable the built-in Administrator Account
3. Create an Intune LAPS policy
4. Assign the LAPS policy to Windows devices
5. Explore various methods to retrieve local admin password

Enable LAPS in Microsoft Entra

Perform the following steps to enable the LAPS in Microsoft Entra:

• Sign in to the Microsoft Entra admin center as a Cloud Device Administrator.
• Browse to Identity > Devices > Overview > Device Settings.
• Select Yes for the Enable Local Administrator Password Solution (LAPS) setting and select Save.

Enable the Local Administrator Account

On new Windows installations, the built-in administrator account is disabled. That is because the administrator account has complete control over the computer and can bypass all user access control (UAC) safeguards.

When you create an LAPS policy in Intune to manage the password of a local administrator account, the built-in administrator account must first be enabled. Otherwise, the LAPS policy has no effect on your devices. You can have the choice to enable the built-in administrator account using Intune or Group Policy.

Although you can manually enable the built-in administrator account on Windows devices, Intune can do it for you on multiple devices, which saves the time of your IT team. Here is a comprehensive guide on enabling the built-in administrator account with Intune policy.

Manage Windows LAPS with Intune

Microsoft Intune provides support to configure Windows LAPS on devices through the local admin password solution (Windows LAPS) profile, available through endpoint security policies for account protection.

Intune policies manage LAPS by using the Windows LAPS configuration service provider (CSP). Windows LAPS CSP configurations take precedence over, and overwrite, any existing configurations from other LAPS sources, like GPOs or the Legacy Microsoft LAPS tool.

You’ll need to sign in with an Intune administrator account to create and manage the LAPS policy.

Step 1: Create a LAPS Policy in Intune

Here is how you can create a Windows LAPS policy in Intune:

Sign in to the Microsoft Intune admin center and go to Endpoint security > Account protection, and then select Create Policy. Set the platform to Windows 10 and later, profile to Local admin password solution (Windows LAPS), and then select Create.

In the Basics tab, enter the following details:

• Name: Enter a descriptive name for the profile that can be easily identified later. In the below example, we have set the profile name to “Windows LAPS Policy.”
• Description: Enter a brief description of the profile. For example, you can specify the description as “A policy to back up the password of a local administrator account on your Microsoft Entra ID joined devices or Windows Server Active Directory-joined devices.”

Click Next.

Step 2: Configure LAPS Policy Settings in Intune

The Configuration Settings tab lets you configure some important settings for your LAPS policy. Although you can modify these policy settings later, it is important to understand what each one does.

1. Backup Directory: Use this setting to configure which directory the local admin account password is backed up to. You can also choose not to back up an account and password. The type of directory also determines which additional settings are available under this policy.

The backup directory has the following options to choose from:

• Disabled (password will not be backed up)
• Backup the password to Azure AD only
• Backup the password to the Active directory only
• Not Configured

In the below example, we have configured the backup directory to back up the password to Azure AD only.

2. Password Age Days: Use this policy to configure the maximum password age of the managed local administrator account. If not specified, this setting will default to 30 days. This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory and 7 days when backing the password to Azure AD. This setting has a maximum allowed value of 365 days.

In the below example, we have configured the password age days to 30 days.

3. Administrator Account Name: Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located at a well-known SID (even if renamed).

Intune allows you to rename the built-in Administrator account through a configuration policy. If you haven’t done that, you can use the LAPS policy to configure the name of the administrator account.

Note: It is not mandatory to rename the administrator account. You can let the name of the administrator account stay as it is. Change it only if there is a business requirement for that.

In the below example, we haven’t configured the administrator account name.

4. Password Complexity: The Intune LAPS policy allows you to configure the password complexity of the managed local administrator account. The following options are available for setting the password complexity of the local administrator account:

• Large letters
• Large letters + small letters
• Large letters + small letters + numbers
• Large letters + small letters + numbers + special characters
• Large letters + small letters + numbers + special characters (improved readability)
• Not configured

In the below example, we have set the password complexity to Large letters + small letters + numbers + special characters (improved readability).

5. Password Length: Use this setting to configure the length of the password of the managed local administrator account. If not specified, this setting will default to 14 characters. This setting has a minimum allowed value of 8 characters. This setting has a maximum allowed value of 64 characters.

In the below example, our Intune LAPS policy has a password length of 14 characters. This is a good password length for the administrator account.

6. Post Authentication Actions: Use this setting to specify the actions to take upon expiration of the configured grace period. If not specified, this setting will default to 3 (reset the password and log off the managed account).

You have the following options to choose from:

• Reset password
• Reset the password and logoff the managed account
• Reset the password and reboot
• Not configured

In the below example, we have configured the post authentication actions to reset the password.

7. Post Authentication Reset Delay: Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If not specified, this setting will default to 24 hours. This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). This setting has a maximum allowed value of 24 hours.

For our Intune LAPS policy, we have enabled the post authentication reset delay, and the value specified is 24 hours.

Step 3: Assign the Intune LAPS Policy to Windows Devices

Once you’ve configured the LAPS settings, it’s time to assign the policy to Windows devices. We recommend assigning the policy to a few test groups first and then expanding it to more groups if the testing is successful.

On the Scope Tags page, select any desired scope tags to apply, then select Next.

In the Assignments tab, select the groups to receive this policy. We recommend assigning LAPS policy to device groups. When the user of a device changes, a new policy might apply to the device and introduce inconsistent behavior, including which account the device backs up or when the managed account password is next rotated.

Click Next.

On the Review + Create page, review all the settings that you have configured for configuring the LAPS via Intune and select Create.

After you create the LAPS policy in Intune, a notification appears: “Windows LAPS policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The profile that we created appears in Intune’s list of configuration profiles.

Initiate the Intune Policy Sync for Windows Devices

Once you have assigned the LAPS policy to your devices, you must wait for the policy to be applied to the targeted groups, and the devices will receive the settings once they check in with the Microsoft Intune service. To receive policies from Intune, the devices must be online. You can also force sync Intune policies using different methods, such as PowerShell, on your computers to get the latest policies and settings from Intune.

Here is a quick method to initiate a sync for a Windows device. In the Intune admin center, go to Devices > Windows. Select a Windows device and choose the option “Sync.” Click Yes for Intune to check in with this device.

Monitoring the Windows LAPS policy in Intune

Once you have configured the LAPS policy in Intune and assigned it to Windows devices, you can monitor the assignment status in the Intune admin center. To monitor the LAPS policy in Intune that you applied to Windows devices, select the policy and review the device and user check-in status.

Under the device and user check-in status, you get to see the total number of Windows devices that succeeded in receiving the LAPS policy. In some cases, the policy may fail to apply to certain devices. To resolve the issues, you will need to troubleshoot the issue by reviewing Intune logs on computers.

The screenshot below shows that our device group has successfully received the Windows LAPS policy that Intune assigned. Click on View Report to view all the Windows devices that have received the LAPS policy settings.

Validating the LAPS Policy deployment

In this section, we’ll learn how to validate the LAPS policy deployment on Windows devices using different methods. Once the Windows devices have received the LAPS settings applied via Intune, you can use the below methods to verify them.

Windows Registry

You can locate the LAPS configuration settings on Windows devices by opening the registry editor and navigating to the below path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\LAPS

From the screenshot below, we see the following registry entries created by Intune LAPS policy on Windows device. These values match with settings that we configured in the LAPS policy.

• BackupDirectory: 1
• PasswordAgeDays: 30
• PasswordComplexity: 5
• PasswordLength: 14
• PostAuthenticationActions: 1
• PostAuthenticationResetDelay: 24

Windows Event Viewer

When you assign a policy to Windows devices via Intune, typically you review the event viewer IDs 813 and 814 to confirm if the settings are applied. However, with the Intune LAPS policy, you cannot use the Intune MDM event logs because the LAPS events are stored in a separate folder or section in the event viewer.

Launch the event viewer on the Windows device by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view LAPS related events.

Application and Services Logs: Microsoft-Windows-LAPS/Operational

The ‘Operational‘ section within the LAPS folder logs events related to LAPS. Since you’ll find plenty of events here, you can use the option to filter the current log with event ID 10022 to find out the LAPS settings applied via Intune.

The event ID 10022 shows the LAPS policy settings that we applied via Intune to the current Windows device.

The current LAPS policy is configured as follows:
 
 Policy source: CSP
 Backup directory: Azure Active Directory
 Local administrator account name: 
 Password age in days: 30
 Password complexity: 4
 Password length: 14
 Post authentication grace period (hours): 24
 Post authentication actions: 0x1

How to View a Local Administrator Password

In this section, we will explore the three best methods using which you can retrieve the LAPS managed local admin password on Windows devices.

1. Intune admin center
2. Entra Admin center
3. PowerShell

Make sure to at least have one of the following built-in roles (Global Administrator, Cloud Administrator or Intune Administrator) to access that Administrator account password.

Find local administrator account password from Intune admin center

Use the following steps to retrieve the managed local administrator password from the Microsoft Intune admin center.

• Sign in to the Microsoft Intune admin center.
• Go to Devices > Windows.
• Click on your Windows device you want to retrieve the local administrator password for and select Local admin password.
• Click Show local administrator password.

By default, the password is masked for security reasons. On the Local administrator password pane, to view the password for the admin account, click Show. The password is now shown in a plain text. The copy button allows you to copy the password without having to reveal it.

Retrieve local administrator account password from Entra Admin Center

From the Entra Admin Center, you can access the built-in administrator account password with the following steps:

• Sign in to Microsoft Entra admin center.
• Navigate to Identity > Devices > All devices.
• Click on Local Administrator password recovery.
• Click “Show local administrator password” for the Windows device to retrieve the local administrator password for.

By default, the password is masked for security reasons. On the Local administrator password pane, to view the password for the admin account, click Show. The password is now shown in a plain text. The copy button allows you to copy the password without having to reveal it.

Using PowerShell to find Administrator account password

The Get-LapsAADPassword cmdlet allows administrators to retrieve LAPS passwords and password history for a Microsoft Entra joined device. This is implemented by sending queries to Microsoft Graph over the deviceLocalCredentials collection.

To query the LAPS local administrator password via PowerShell, your account will need DeviceLocalCredential.ReadBasic.All and DeviceLocalCredential.Read.All permissions.

Run the below PowerShell command to query basic LAPS password metadata information for the target device that is specified by device name.

Connect-MgGraph -TenantId tenantID -ClientId clientID
Get-LapsAADPassword -DeviceIds LAPSAAD

We will publish a separate guide on managing LAPS with PowerShell and explain how to retrieve the LAPS managed admin password on a Windows device using PowerShell cmdlets.

Best Practices for using Windows LAPS with Intune

To make the most of LAPS and Intune, it’s essential to follow some best practices:

1. Regularly Rotate Passwords: Set a schedule to change local administrator passwords at regular intervals using LAPS and Intune. This ensures that compromised passwords are quickly invalidated. We will publish a separate guide on how to rotate admin passwords in Intune.

2. Enforce Strong Password Policies: Configure LAPS and Intune policies to enforce strong password requirements for local administrators, such as minimum length and complexity rules.

3. Monitor Password Expiry: Use Intune to monitor the password expiry status of local administrators and take action promptly if a password is nearing expiration.

4. Educate IT Users: Educate IT users about the importance of local administrator password security and the role they play in maintaining a secure environment.

By following these best practices, you can maximize the effectiveness of LAPS and Intune in securing your Windows devices.

Conclusion and Final Thoughts

Implementing LAPS with Intune is a powerful combination that can significantly enhance the security of your Windows devices. By leveraging LAPS to manage local administrator passwords and Intune to enforce policies and centralize management, organizations can reduce the risk of unauthorized access and strengthen their overall security posture.

In this article, we explored what is LAPS solution, the prerequisites and benefits of setting it up with Intune, and the steps to implement LAPS with Intune. We also discussed best practices, and methods to retrieve the LAPS managed local administrator password on Windows devices. We hope this guide helps all the Intune administrators in implementing the LAPS for your organization.

If you have any questions, please let us know in the comments section below.