Zehadi Alam
Introduction
Local Administrator Password Solution (LAPS) is a Microsoft solution designed to enhance the security of local administrator accounts on Windows operating systems. It provides a mechanism for automatically managing and resetting the passwords of these accounts, ensuring they remain secure and unique across all Windows systems in an organization's network.
In April 2023, LAPS became available for use in Intune, providing organizations with the opportunity to centralize password storage in Entra ID. The following section demonstrates the process of configuring and deploying a LAPS policy within the Intune environment.
Note: The prerequisites to configure LAPS with Intune is the following:
- Windows 10, version 22H2 (19045.2846 or later) with KB5025221
- Windows 10, version 21H2 (19044.2846 or later) with KB5025221
- Windows 10, version 20H2 (19042.2846 or later) with KB5025221
- Windows 11, version 22H2 (22621.1555 or later) with KB5025239
- Windows 11, version 21H2 (22000.1817 or later) with KB5025224
Implementation
Navigate to Endpoint Security Account Protection
Select Create Policy
Tip: Although LAPS can also be configured from the configuration profiles section, it is recommended to utilize the Endpoint security blade for configuring LAPS. This approach not only enhances administrative compartmentalization of policies but also consolidates all modern LAPS settings into one convenient template.
Select Windows 10 and later for Platform and Local admin password solution for Profile. Click Create at the bottom.
The following is an example of an implementation that is aligned with good security practices. Customize the specific details to best suit your unique environment and requirements.
Backup Directory - Backup the password to Azure AD only
Password Age Days - 14
Administrator Account Name - adminaccount
Password Complexity - Large letters + small letters + numbers + special characters
Password Length - 16
Post Authentication Actions - Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and and any interactive logon sessions using the managed account will [sic] terminated
Post Authentication Reset Delay - 1
Tip: Microsoft recommends configuring the password complexity as shown above as a standard practice, while reserving lower complexity settings solely for the purpose of backward compatibility with Legacy LAPS: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings
Once the configurations have been established, proceed through the remaining steps and assign the policy to the appropriate device groups. Carefully review the policy settings before finalizing its creation.
After the policy has been successfully applied to the targeted devices, navigate to the Local admin password blade by selecting one of the computers. Within this interface, an entry for the local administrator password will be displayed. Clicking on Show local administrator password will allow for the secure retrieval of the password. This process can also be carried out on a mobile device for convenience.
In the event of a compromised password, it is possible to manually rotate the local admin password by initiating a remote action on a device.
