4 ways to rotate Local Admin Password using Intune

Photo of author
Jatin Makhija
0

Rotating the Local Administrator account password is an essential security practice to protect your organization’s devices from unauthorized access. One option for rotating local user passwords is using Windows LAPS.

We will look into all the different ways to rotate a local user password in the following sections of this blog post.

1. Rotate the local admin password using Windows LAPS Policy

Enabling the Password Age Days setting and specifying a value in Windows LAPS allows for automatically updating the managed local administrator password. This updated password is then synchronized with the Entra ID and stored with the device object.

You can create a Windows LAPS policy using the below steps. The Policy has a setting called Password Age Days.

In the example below, the managed local administrator account password, cloudinfra77, will be rotated every 10 days.

  • Sign in to the Intune admin center.
  • Go to Endpoint Security > Account Protection
  • Click on + Create Policy
  • Select Platform as Windows 10 and Later
  • Select Profile as Local admin password solution (Windows LAPS)
  • Click on Create
Rotate local admin password using Windows LAPS

2. Rotate the local admin password using Intune admin center

You also have the option to manually rotate the managed local administrator password using the Intune admin center. In this scenario, you would locate the specific device on the portal and initiate the local admin password rotation.

This approach is useful when you suspect that the device’s local admin password has been compromised and you need to change it promptly without any delay.

To rotate the local admin password using Intune admin center, follow the below steps:

  • Sign in to the Intune admin center.
  • Go to Devices > All devices > Click on the device.
  • Click on three dots on the top menu of options and then select Rotate local admin password.
Rotate local admin password using Intune admin center
  • Click on Yes when prompted to change the local admin password.
Rotate local admin password using Intune admin center

3. OMA-URI setting to Rotate Local Admin Password

Another method for rotating the local admin password is to use the OMA-URI setting Actions/ResetPassword. This approach lets you immediately change the managed local admin account’s password without waiting for the Password age days value to expire.

./Device/Vendor/MSFT/LAPS/Actions/ResetPassword

4. How to Reset the Local admin Password using Powershell

You can utilize the LAPS PowerShell module to execute commands on the device, enabling you to retrieve the local admin password or reset it as needed. For a comprehensive list of available cmdlets, refer to LAPS Powershell cmdlets.

The specific cmdlet required for this task is Reset-LapsPassword. You can find more details about this cmdlet by visiting this link: Reset-LapsPassword.

For a step-by-step guide on connecting to Windows LAPS using PowerShell and managing it, including retrieving the local admin password for any device using PowerShell, you can follow the detailed instructions in the following guide: Manage Windows LAPS Using PowerShell.

How do you Verify if the local administrator password is Rotated?

After you initiate the Rotate local admin password action, it may take a few minutes to a few hours for the password change to complete. Restarting the device can expedite this process. Once the password reset is finalized for the device and synchronized to Entra ID, you can verify the new password using the following steps:

  • Sign in to the Intune admin center.
  • Go to Devices > All devices > Click on the device.
  • Click on Local admin password under Monitor
  • Then click on Show local administrator password
  • Click on Show link to reveal the new password and to confirm if its updated
How to verify if local administrator password is rotated.

What Permissions are Required to Rotate Local admin password?

If you’re unable to access the Local Admin Password option for a device on the Intune admin center because it’s grayed, you have two options:

  1. You can grant a user permission to Rotate Local Admin Password from the Intune admin center.
  2. Create a custom Entra ID role that allows you to view and retrieve Local Admin Passwords for devices.

Let’s check both the options below:

Option 1 – Rotate local Admin password Permission

To assign Rotate local Admin password permission to any user, Please follow the below steps:

  • Sign in to the Intune admin center.
  • Click on Tenant Administration Roles.
  • Click on + Create to create a new custom Intune role.
  • Provide the custom role’s name and description. For example, Name: Rotate local Administrator password, and Description: This role will be able to rotate the local admin password.

In the Permissions tab, set up the following permissions:

  • Managed Devices: Read
  • Organization: Read
  • Rotate Local admin password: Yes
Rotate local Administrator password Intune permission
Rotate local Administrator password Intune permission
  • After creating this role, you can locate it under All roles. Click on it to open, and then select Assignments under Manage. Click on + Assign to assign this role to users or administrators.
Rotate local Administrator password Intune permission assignment
Rotate local Administrator password Intune permission assignment

Option 2 – Create a Custom Entra ID role

The built-in Entra ID roles, including Cloud Device AdministratorIntune Administrator, and Global Administrator, automatically grant the device.LocalCredentials.Read.All permission. If a user is a member of any of these built-in roles, they will be able to manage the local administrator password for any device.

If a user isn’t a member of any of these built-in roles but still needs to view the local admin password of devices, you must create a Custom Entra ID role and assign the following permissions to this role.

  • microsoft.directory/deviceLocalCredentials/password/read
  • microsoft.directory/deviceLocalCredentials/standard/read

Step to Create a Custom Entra ID role

  • Sign in to the Entra admin center.
  • Go to Roles & admins > All roles.
  • Click on + New custom role.
  • Provide a Name and Description and Keep Baseline permissions as Start from scratch.
  • Under the Permissions tab, select two permissions below:

microsoft.directory/deviceLocalCredentials/password/read

microsoft.directory/deviceLocalCredentials/standard/read

Step to Create a Custom Azure AD role
Step to Create a Custom Entra ID role
  • Next, create a Custom Entra role. Click on the Custom role, and then add either Eligible assignments or Active assignments to grant users access to retrieve the local admin password of Intune-managed devices.

Conclusion

This blog post has seen different ways to rotate local admin account passwords on Windows 10/11 devices. You should rotate/change your local admin password regularly and keep a complex password with at least 14 characters, including special characters.

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.