4 ways to Rotate Local Admin Password using Intune

Rotating or changing the password of local user account password is an important security practice to protect your organization’s devices from unauthorized access. Specially if the local user is also an Administrator of the device. One option for rotating local user passwords is using Windows LAPS.

There are other ways to rotate password of local user account. We will explore it in more details in the following sections of this blog post.

1. Rotate Local Admin Password using Windows LAPS Policy

You can manage the password of local administrator user account on Windows devices using Windows LAPS solution. While configuring Windows LAPS policy on Intune admin center, you can enable and configure Password Age Days setting.

The value in Password Age Days signifies the duration the password is valid for. For example, If you provided a value of 10, it means password of the given local admin account will be changed after 10 days.

  • Sign in to the Intune admin center > Endpoint Security > Account Protection.
  • Click on + Create Policy.
  • Select Platform as Windows 10 and Later.
  • Select Profile as Local admin password solution (Windows LAPS).
  • Click on Create.

For more details, please refer to the guide: Implement LAPS With Intune: A Comprehensive Guide.

Rotate local admin password using Windows LAPS

2. Rotate Local Admin Password using Intune admin center

You can also rotate local admin account password manually via Intune admin center. This approach is useful when you suspect that the device’s local admin password has been compromised and you need to change it promptly without any delay.

To rotate the local admin password using Intune admin center, follow the below steps:

  • Sign in to the Intune admin center > Devices > All devices > Click on the device.
  • Click on three dots on the top menu of options and then select Rotate local admin password.
Rotate local admin password using Intune admin center
  • Click on Yes when prompted to change the local admin password.
Rotate local admin password using Intune admin center

3. OMA-URI setting to Rotate Local Admin Password

Another method for rotating the local admin password is to use the OMA-URI setting Actions/ResetPassword. This approach lets you immediately change the managed local admin account’s password without waiting for the Password age days value to expire.

./Device/Vendor/MSFT/LAPS/Actions/ResetPassword

4. Reset the Local admin Password using Powershell

You can utilize the LAPS PowerShell module to execute commands on the device, enabling you to retrieve the local admin password or reset it as needed. For a comprehensive list of available cmdlets, refer to LAPS Powershell cmdlets.

The specific cmdlet required for this task is Reset-LapsPassword. You can find more details about this cmdlet by visiting this link: Reset-LapsPassword.

For a step-by-step guide on connecting to Windows LAPS using PowerShell and managing it, including retrieving the local admin password for any device using PowerShell, you can follow the detailed instructions in the following guide: Manage Windows LAPS Using PowerShell.

Verify If the Local Administrator Password is Rotated

After you initiate the Rotate local admin password action, it may take a few minutes to a few hours for the password change to complete. Restarting the device can expedite this process. Once the password reset is finalized for the device and synchronized to Entra ID, you can verify the new password using the following steps:

  • Sign in to the Intune admin center > Devices > All devices > Click on the device.
  • Click on Local admin password under Monitor.
  • Then click on Show local administrator password.
  • Click on Show link to reveal the new password and to confirm if its updated.
How to verify if local administrator password is rotated.

Permissions Required to Rotate Local admin password

If you’re unable to access the Local Admin Password option for a device on the Intune admin center because it’s grayed, you have two options:

  1. You can grant a user permission to Rotate Local Admin Password from the Intune admin center.
  2. Create a custom Entra ID role that allows you to view and retrieve Local Admin Passwords for devices.

Let’s check both the options below:

Option 1 – Rotate local Admin password Permission

To assign Rotate local Admin password permission to any user, Please follow the below steps:

  • Sign in to the Intune admin centerTenant Administration Roles.
  • Click on + Create to create a new custom Intune role.
  • Provide the custom role’s name and description. For example, Name: Rotate local Administrator password, and Description: This role will be able to rotate the local admin password.

In the Permissions tab, set up the following permissions:

  • Managed Devices: Read
  • Organization: Read
  • Rotate Local admin password: Yes
Rotate local Administrator password Intune permission
Rotate local Administrator password Intune permission
  • After creating this role, you can locate it under All roles. Click on it to open, and then select Assignments under Manage. Click on + Assign to assign this role to users or administrators.
Rotate local Administrator password Intune permission assignment
Rotate local Administrator password Intune permission assignment

Option 2 – Create a Custom Entra ID role

The built-in Entra ID roles, including Cloud Device AdministratorIntune Administrator, and Global Administrator, automatically grant the device.LocalCredentials.Read.All permission. If a user is a member of any of these built-in roles, they will be able to manage the local administrator password for any device.

If a user isn’t a member of any of these built-in roles but still needs to view the local admin password of devices, you must create a Custom Entra ID role and assign the following permissions to this role.

  • microsoft.directory/deviceLocalCredentials/password/read
  • microsoft.directory/deviceLocalCredentials/standard/read

Step to Create a Custom Entra ID role

  • Sign in to the Entra admin centerRoles & admins > All roles.
  • Click on + New custom role.
  • Provide a Name and Description and Keep Baseline permissions as Start from scratch.
  • Under the Permissions tab, select two permissions below:
  • microsoft.directory/deviceLocalCredentials/password/read
  • microsoft.directory/deviceLocalCredentials/standard/read
Step to Create a Custom Azure AD role
Step to Create a Custom Entra ID role
  • Next, create a Custom Entra role. Click on the Custom role, and then add either Eligible assignments or Active assignments to grant users access to retrieve the local admin password of Intune-managed devices.

Conclusion

This blog post has seen different ways to rotate local admin account passwords on Windows 10/11 devices. You should rotate/change your local admin password regularly and keep a complex password with at least 14 characters, including special characters.

Leave a Comment