Windows Local Administrator Password Solution (LAPS) is a free tool from Microsoft that allows you to manage and rotate local administrator passwords on Windows devices. By default, local administrator passwords on Windows devices are the same across all devices, which can be a security risk.
LAPS solves this problem by automatically generating unique passwords for each device and storing them securely in Azure Active Directory. There is no specific license requirements for using Windows LAPS, its available for any organization with Azure AD Free or higher license.
If you want to Manage Windows LAPS using Powershell then you can check out a step by step guide Manage Windows LAPS Using Powershell.
LAPS is the management of local account passwords on Windo devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Azure AD and Hybrid Azure AD join devices.
Official Definition of Azure AD Local Administrator Password Solution (LAPS)
Prerequisites
Following Operating systems with April 2023 updates or later are supported for implementation of Windows LAPS. There is no agent or MSI deployment of LAPS required. Windows LAPS is built-in below Windows OS versions with April updates and later.
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 – April 11 2023 Update
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
Enable Windows LAPS in Azure Active Directory
First step is to enable Azure AD LAPS via Azure Active Directory device setting. Please use below steps to enable LAPS in Azure AD:
- Login on Azure Active Directory
- Go to Devices > Device Settings
- Toggle Yes on Enable Azure AD Local Administrator Password Solution (LAPS)
- Click on Save to save the changes
Create Windows LAPS Policy for Windows 10
Now that we have enabled Windows LAPS in Azure AD, we will create a Policy from Microsoft Intune admin center. This policy will define all the settings for windows LAPS and will get applied to the devices.
To create Windows LAPS policy from Microsoft Intune portal, please follow below steps:
- Login on Microsoft Intune admin center
- Go to Endpoint Security > Account Protection
- Click on + Create Policy.
- Select Platform as Windows 10 and Later
- Select Profile as Local admin password solution (Windows LAPS)
- Click on Create
Basics Tab
On the basics tab, provide a Name and Description of the Windows LAPS Profile.
- Name: Cloudinfra Windows LAPS
- Description: This is a Windows LAPS profile for devices which are joined to cloudInfra.net Azure AD Organization and Enrolled into MS Intune
Configuration Tab
This is where you will define your LAPS policy settings. We will now see all the settings and its recommended configuration:
- Backup Directory – Backup the password to Azure AD only
- Password Age Days – Enable it and set it to a value between 7 and 365 days. If you do not enable this setting, by default it will be set to 30 days
- Administrator Account Name – You can manage a custom local admin account you had created already on all your organization devices. If you do not specify any administrator account name, the default built-in local administrator account will be located by well-known SID (even if renamed) and managed by Intune.
| If you provide a custom local admin account to manage using Windows LAPS, you must ensure that the account is created already. Windows LAPS doesn’t create the account. To create a local admin account using Intune, You can follow the guide using the link: How To Create A Local Admin Account Using Intune or Create A Local Admin Using Intune And Powershell. |
- Password Complexity – Recommended setting is “Large letters + small letters + numbers + special characters“
- Password Length – Configure a length of the password. Minimum value is 8 and Maximum value is 64. If you do not enable this setting, then the Default value of 14 characters is used. I have used the length 19 for my cloudinfra organization.
- Post Authentication Actions – If you want to rotate local admin password after every use then you can select one of the options from the Dropdown. If you are using this option, make sure you use it along with Post Authentication Reset delay to provide enough time to Helpdesk member to complete the troubleshooting before any Post Authenticaion action is taken as per configuration. If you do not configure this setting, by default Reset password + log off is selected.
- Reset password – Every time someone authenticates using local admin account, its password is reset and new password is backed up to Azure AD.
- Reset password and log off – Every time someone authenticates using local admin account, its password is reset and new password is backed up to Azure AD + log off action will occur to avoid any further misuse of local admin password.
- Reset password and reboot – Every time someone authenticates using local admin account, its password is reset and new password is backed up to Azure AD + reboot device action will occur to avoid any further misuse of local admin password.
- Post Authentication Delay – if you do not configure this option, then by default its set to 24 hours. Use this setting to specify the amount of time to wait before taking Post authentication actions. If you want to disable the Post authentication actions then set Post Authentication Delay value to 0. Minimum value is 0 and Maximum value is 24 for this setting.
Assignments
Create an Azure AD Security group which contains users or devices where this device configuration profile needs to be deployed. Please note that if you add users into the list, Cloudinfra Windows LAPS policy will be applied on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.
Review + Create
On Review + Create tab, review the profile and click on Create. As soon as you click on create button, Windows LAPS Cloudinfra Windows LAPS policy will be created and assigned to the targeted devices.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start deployment of this profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the application on a test device then this can speed up your testing and can save some time.
Where to find LAPS settings in Registry
When the profile is successfully deployed to the target devices. It will create a registry key called LAPS under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\ and the registry entries will be created according to policy settings.
| Useful Information |
|---|
| Please note Windows LAPS uses a background task that starts every hour to check if the password is expired or not. If its expired, it will then reset the password and update the new passwrod to Azure AD. |
You can see that there are following registry entries created by Intune:
- AdministratorAccountName: cloudinfraadmin
- BackupDirectory: 1
- PasswordAgeDays: 7
- PasswordComplexity: 4
- PasswordLength: 19
- PostAuthenticationResetDelay: 0
How to retreive LAPS managed Local admin Password
Now that we are managing our custom local administrator cloudinfraadmin using Windows LAPS. Its password is getting backed up in Azure AD. Helpdesk or any IT administrator may require this password time to time for troubleshooting purpose.
But how to retreive the password from Azure AD ? There are two ways to check the password of managed custom local administrator. First and easiest way retreive the password of local admin account from Azure AD device object.
Second option to retrieve password from Azure AD is by using Microsoft Graph. There is a powershell cmdlet available to make it a bit easier which is called Get-LapsAADPassword.
1. Retreive local admin password from Intune Admin Portal
To check the password of local administrator account, you can either go to Intune admin center and then search for the Device object and then check the password. Let’s check the steps:
- Login on Microsoft Intune admin center
- Go to Devices > All devices
- Click on the device which is targeted by the Windows LAPS policy
- On the left hand side under Monitor find Local admin password option
- Then click on Show local administrator password
You can click on Show to check the password in plain-text.
2. Retreive local admin password from Microsoft Entra portal
If you do not want to login on Intune admin center to retreive the local admin password. You can also use Microsoft Entra admin center as well. Please follow below steps for this:
- Login on Microsoft Entra admin center
- Go to Devices > All devices
- Click on “Local administrator password recovery (Preview)” option on the left hand side or you can also click on the specific device and then find the “Local administrator password recovery (Preview)” option there as well to show the password.
3. Retreive local admin password using Powershell
You can also retrieve the password of a local admin account using powershell. You can use Get-LapsAADPassword powershell cmdlet by first connecting to Graph. You also require an Azure AD app and provide necessary permissions to the app for retreiving the password.
For step by step guide on how to connect to windows laps using powershell and manage. Also how to retreive local admin password of any device using powershell, you can check the step by step guide using the link: Manage Windows LAPS Using Powershell.
How to find LAPS events in Event log on devices
All Windows LAPS operations are tracked and events are stored in windows event log. There is a dedicated LAPS folder which provides all related information.
Event log location: Applications and Services Logs > Microsoft > Windows > LAPS > Operational
- Event ID 10003 : Background policy processing start log (Log: LAPS policy processing is now starting.)
- Event ID 10004 : LAPS policy processing success. (Log: LAPS policy processing succeeded.)
- Event ID 10005 : Laps policy processing failed. Error code 80070032.
- Event ID 10022: Information about current LAPS policy.
How to rotate Local admin password using Windows LAPS
As we know local admin user account will have full control of your device, therefore its password must be strong and rotated / changed regularly so that it will make it difficult to gain access to the device by an unauthorized user.
To rotate local admin user account password, I have written a blog post which provides details about different ways you to rotate local admin password: 4 ways to rotate Local Admin Password using Intune.
How to manage Windows LAPS using Powershell
You can also manage Windows LAPS using powershell which includes checking the device information, password expiry date and also viewing the password of the managed local administrator account in plain-text.
If you want to Manage Windows LAPS using Powershell then you can check out a step by step guide Manage Windows LAPS Using Powershell.
Local admin password option greyed out on Intune admin center
If you do not have the right permissions to view Local admin password of any device, Local admin password option will be greyed out on Intune admin center. You will need to assign either Rotate local Administrator password Intune permission or create a Custom Azure AD role for viewing / retrieving Local admin password of any device.
Let’s check both the options below:
1. Rotate local Administrator password Intune permission
To assign Rotate local Administrator password permission to any user, Please follow below steps:
- Login on Microsoft Intune admin center
- Click on Tenant Administration > Roles
- Click on + Create to create a new custom Intune role
- Provide a Name and Description of the custom role. For example: Name: Rotate local Administrator password and Description: This role will be able to rotate local admin password.
In Permissions Tab, Configure below permissions:
- Managed Devices: Read
- Organization: Read
- Rotate Local admin password: Yes
Once you create this role, you will find it under All roles. Click on it to open and then click on Assignments under Manage. Click on + Assign to assign this role to the users/admins.
2. View local Administrator password permission
Built-in Azure AD roles Cloud Device Administrator, Intune Administrator, and Global Administrator are granted device.LocalCredentials.Read.All. If a user is a member of any of these built-in roles, they would be able to manage local administrator password of any device.
But if a user is not a part of any of these built-in roles and still need to view local admin password of devices then you must create a Custom Azure AD role and provide below permissions to this role.
microsoft.directory/deviceLocalCredentials/password/readmicrosoft.directory/deviceLocalCredentials/standard/read
Steps to Create a Custom Azure AD role for View Local admin password permission
- Login on Microsoft Azure Portal
- Go to Azure Active Directory > Roles and administrators
- Click on + New custom role
- Provide a Name and Description and Keep Baseline permissions as “Start from scratch”
- Under Permissions tab select below two permissions:
microsoft.directory/deviceLocalCredentials/password/read
microsoft.directory/deviceLocalCredentials/standard/read
Proceed to create a Custom Azure AD role. Now, click on the Custom role and then add either Eligible assignments or Active assignments to this role for provide access to the users to retreive local admin password of Intune managed devices.
Conclusion
In this blog post, we have seen how to implement Windows LAPS on Azure AD devices via Intune. Please note that at the time of writing this blog post, this feature is still in public preview. You can easily store Local admin password to Azure AD and rotate it as per your configuration automatically.
You can also control who can see the password using Azure role based access control. By default, only members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles can retrieve the clear-text password.
To have a custom local admin account, you point to using OMA-URI in another post.
Wouldn’t the OMA-URI override the password set by LAPS?
Or am I missing something?
@Dave – It may override the password set in OMA-URI. I have not tested that scenario. But if you want to create a local user account without defining any password then you could use Powershell scripts to create a local user account and add it to Administrators group. I have written another blog post on this which shows how to create a local user account without setting any password. Her’s the blog post link:
https://cloudinfra.net/create-a-local-admin-using-intune-and-powershell/
Hi,
What happens in the background when you ‘Enable Azure AD Local Administrator Password Solution’ under device settings? I would like to test this for a group before turning it on globally – im going to use intune to push policy for it. I suspect that enabling this under device settings just turns on the feature in Azure, but if you don’t have any policies in intune, nothing happens with the end users. is it true?
Thanks.
Hi Erik, I don’t think anything actually happens on the target device until you create LAPS policy and target to the devices. This is just to enable the feature on the tenant level so that you can create the policy in Intune.