Rotating the Local Administrator account password is an essential security practice to protect your organization’s devices from unauthorized access. It makes it easier to manage a Local administrator account and its password when you are using Windows LAPS which can be configured using Microsoft Intune.
Windows 10 / 11 provides a local built-in administrator account called as Administrator which is by default disabled. You could enable this account and manage it using Windows LAPS or you could create a custom local adminstrator account and manage it using Windows LAPS.
Whichever is the case, its important that you change the password of the local administrator account regularly to prevent unauthorized access or to comply with security policies. By rotating local admin account password, you are making difficult to gain access to your device(s).
As there are different ways to rotate local administrator password. We should choose a method which is easier to administer and requires less admin effort. What’s the best and easiest way to rotate local administrator account password ?
You can anytime login on device and go to Computer Management > Local users and Groups and right click on the user to change the password manually but its easier to change the password when the device is being managed via Intune using automated ways or remotely using Intune admin center.
We will look into all the different ways to rotate a local admin password in the next sections of this blog post. Let’s check it out.
Rotate local admin password using Windows LAPS policy
As I discussed earlier, Windows LAPS for Intune makes local admin account management easier. It can also change the password of the account automatically by using a setting called “Password Age Days“. You can set password age days from 7 days – 365 days for Azure AD joined devices.
If you have not Implemented Windows LAPS then you can check the step by step guide on how to implement it using my other blog post: Implement Windows LAPS On Azure AD Devices Using Intune.
By enabling Password Age Days and providing a value which defined the number of days, Windows LAPS will automatically update managed local administrator password, sync it to Azure AD and store it with device object. For example: In below screenshot, Password of managed local administrator account cloudinfra77, will be rotated every 10 days.
To create Windows LAPS policy, you can follow below steps:
- Login on Microsoft Intune admin center.
- Go to Endpoint Security > Account Protection
- Click on + Create Policy.
- Select Platform as Windows 10 and Later.
- Select Profile as Local admin password solution (Windows LAPS).
- Click on Create.
Rotate local admin password using Intune admin center
You can also rotate managed local administrator password manually using Intune admin center. This way you would have to find the device on the portal and rotate local admin password from there.
This could be used in a scenario where you find that device’s local admin password has been compromised and you want to immediately change local admin password without any delay. Then you could choose this option.
To rotate local admin password using Intune admin center, Please follow below steps:
- Login on Microsoft Intune admin center.
- Go to Devices > All devices > Click on the device.
- Click on three dots on the top menu of options and then select “Rotate local admin password“.
- Click on Yes when prompted to change local admin password.
How to verify if local administrator password is rotated ?
After you click on “Rotate local admin password“, it takes couple of minutes to few hours for this change to complete. You could restart the device to speed up the process. Once password reset is completed for that device and synced to Azure AD, you can verify the new password using below steps:
- Login on Microsoft Intune admin center.
- Go to Devices > All devices > Click on the device.
- Click on Local admin password under Monitor.
- Then click on Show local administrator password.
- Click on Show link to reveal the new password and to confirm if its updated.
OMA-URI setting to rotate Local Admin Password
You can also rotate local admin password using OMA-URI setting Actions/ResetPassword. This way you can immediately change password of managed local admin account without having to wait for Password age days value to expire.
You can create a custom device configuration profile and target it to the device(s) using below OMA-URI setting:
./Device/Vendor/MSFT/LAPS/Actions/ResetPasswordHow to reset LAPS password using powershell
You can use LAPS powershell module to run commands againts the device to either retrieve local admin password or also to reset it. For complete list of cmdlet which are available for you, you can visit this link: Windows LAPS powershell cmdlets.
Specific cmdlet which we need for this task is Reset-LapsPassword. You can find more details about this cmdlet by visiting this link: Reset-LapsPassword.
For step by step guide on how to connect to windows laps using powershell and manage. Also how to retreive local admin password of any device using powershell, you can check the step by step guide using the link: Manage Windows LAPS Using Powershell.
Conclusion
In this blog post we have seen different ways on how to reset local admin account password on Windows 10 / 11 devices. You should rotate/change local admin password regularly and keep a complex password with at least 14 characters which includes special characters as well.
READ NEXT
- How To Delete A Local User Account Using Intune.
- Enable/Disable Built-in Administrator Account Using Intune.
- Create A Local Admin Using Intune And Powershell.
- Implement Windows LAPS On Azure AD Devices Using Intune.
- How To Create A Local Admin Account Using Intune.
