Rotating the Local Administrator account password is an essential security practice to protect your organization’s devices from unauthorized access. One of the options for rotating local user passwords is by using Windows LAPS.
We will look into all the different ways to rotate a local user password in the following sections of this blog post.
Table of Contents
1. Rotate the local admin password using the Windows LAPS
Enabling the “Password Age Days” setting and specifying a value in Windows LAPS allows for the automatic update of the managed local administrator password. This updated password is then synchronized to Azure AD and stored with the device object.
In the example provided below, the password for the managed local administrator account, “cloudinfra77,” will be rotated every 10 days.
To create a Windows LAPS policy, follow below steps:
- Login on Microsoft Intune admin center
- Go to Endpoint Security > Account Protection
- Click on + Create Policy
- Select Platform as Windows 10 and Later
- Select Profile as Local admin password solution (Windows LAPS)
- Click on Create
2. Rotate the local admin password using the Intune admin center
You also have the option to manually rotate the managed local administrator password using the Intune admin center. In this scenario, you would locate the specific device on the portal and initiate the local admin password rotation from there.
This approach is useful when you suspect that the device’s local admin password has been compromised, and you need to change it promptly without any delay.
To rotate the local admin password using Intune admin center, follow below steps:
- Login on Microsoft Intune admin center
- Go to Devices > All devices > Click on the device
- Click on three dots on the top menu of options and then select “Rotate local admin password“
- Click on Yes when prompted to change local admin password.
3. How to Verify if the local administrator password is rotated?
After you initiate the “Rotate local admin password” action, it may take a few minutes to a few hours for the password change to complete. Restarting the device can expedite this process. Once the password reset is finalized for the device and synchronized to Azure AD, you can verify the new password using the following steps:
- Login on Microsoft Intune admin center
- Go to Devices > All devices > Click on the device
- Click on Local admin password under Monitor
- Then click on Show local administrator password
- Click on Show link to reveal the new password and to confirm if its updated
4. OMA-URI setting to Rotate Local Admin Password
Another method for rotating the local admin password is by using the OMA-URI setting “Actions/ResetPassword.” This approach allows you to immediately change the password of the managed local admin account without having to wait for the “Password age days” value to expire, providing.
./Device/Vendor/MSFT/LAPS/Actions/ResetPassword
4. How to Reset the Local admin Password using Powershell
You can utilize the LAPS PowerShell module to execute commands on the device, enabling you to retrieve the local admin password or reset it as needed. For a comprehensive list of available cmdlets, you can refer to this link: LAPS Powershell cmdlets.
The specific cmdlet required for this task is “Reset-LapsPassword” You can find more details about this cmdlet by visiting this link: Reset-LapsPassword.
For a step-by-step guide on how to connect to Windows LAPS using PowerShell and manage it, including how to retrieve the local admin password for any device using PowerShell, you can follow the detailed instructions provided in the following guide: Manage Windows LAPS Using PowerShell.
5. What permissions are required to Rotate Local admin password
If you’re unable to access the Local Admin Password option for a device on the Intune admin center because it’s grayed, you have two options:
- You can grant a user ‘Rotate Local Admin Password‘ permission from the Intune admin center.
- Create a custom Azure AD role that allows you to view and retrieve Local Admin Passwords for devices.
Let’s check both the options below:
1. “Rotate local Admin password” Permission
To assign “Rotate local Admin password” permission to any user, Please follow the below steps:
- Login on Microsoft Intune admin center
- Click on Tenant Administration > Roles
- Click on + Create to create a new custom Intune role
- Provide a Name and Description of the custom role. For example Name: Rotate local Administrator password and Description: This role will be able to rotate local admin password.
In the Permissions tab, set up the following permissions:
- Managed Devices: Read
- Organization: Read
- Rotate Local admin password: Yes
- After creating this role, you can locate it under ‘All roles.’ Click on it to open, and then select ‘Assignments‘ under ‘Manage.’ Click on ‘+ Assign‘ to assign this role to users or administrators.
2. Create a Custom Azure AD role
The built-in Azure AD roles, including Cloud Device Administrator, Intune Administrator, and Global Administrator, are automatically granted the ‘device.LocalCredentials.Read.All‘ permission. If a user is a member of any of these built-in roles, they will have the ability to manage the local administrator password for any device.
If a user isn’t a member of any of these built-in roles but still needs to view the local admin password of devices, you must create a Custom Azure AD role and assign the following permissions to this role.
- microsoft.directory/deviceLocalCredentials/password/read
- microsoft.directory/deviceLocalCredentials/standard/read
Step to Create a Custom Azure AD role
- Login on Microsoft Azure Portal
- Go to Azure Active Directory > Roles and administrators
- Click on + New custom role
- Provide a Name and Description and Keep Baseline permissions as “Start from scratch”
- Under Permissions tab select below two permissions:
microsoft.directory/deviceLocalCredentials/password/read
microsoft.directory/deviceLocalCredentials/standard/read
- Next, create a Custom Azure AD role. Click on the Custom role, and then add either Eligible assignments or Active assignments to grant users access to retrieve the local admin password of Intune-managed devices.
Conclusion
In this blog post, we have seen different ways to reset local admin account passwords on Windows 10 / 11 devices. You should rotate/change your local admin password regularly and keep a complex password with at least 14 characters which includes special characters as well.