A built-in local administrator account exists on every Windows device. This account has full permissions and cannot be deleted. Therefore, it’s important to protect this account.
Windows Local Administrator Password Solution (LAPS) helps to protect built-in and custom Administrator account from pass-the-hash or lateral-traversal attacks by Enforcing password complexity and length requirements, backup of the password to Entra ID, and rotate the passwords automatically.
Not just built-in administrator account, LAPS can also protect a custom local admin account as well. Some organizations may keep the built-in administrator account disabled and create a custom local admin account.
As such, no license cost associated with using Windows LAPS with Intune. However, you will need to meet the licensing requirements for using Intune and Microsoft Entra. Below are the minimum license requirements for using Windows LAPS with Intune:
- Microsoft Intune Plan 1
- Microsoft Entra ID Free
Contents
Prerequisites
Starting from April 2023, updates or later, the following operating systems are supported for implementing Windows LAPS. There’s no need for an agent or MSI deployment of LAPS, as it is built into the Windows OS versions listed below with April updates and later.
- Windows 11 22H2 – April 11, 2023 Update
- Windows 11 21H2 – April 11, 2023 Update
- Windows 10 – April 11, 2023 Update
- Windows Server 2022 – April 11, 2023 Update
- Windows Server 2019 – April 11, 2023 Update
1. Enable Windows LAPS in Entra Admin Center
- Sign in to the Entra admin center > Devices > All devices > Device Settings.
- Toggle Yes on Enable Microsoft Entra Local Administrator Password Solution (LAPS).
- Click on Save to save the changes.
2. Create Windows LAPS Policy
Now that we’ve enabled Windows LAPS in Entra ID, the next step is to create a policy from the Intune admin center. This policy will define all the settings for Windows LAPS and will be applied to the devices.
- Sign in to the Intune admin center > Endpoint Security > Account Protection.
- Click on + Create Policy.
- Select Platform as Windows 10 and Later.
- Select Profile as the Local admin password solution (Windows LAPS).
- Click on Create.
- Basics Tab: Provide a Name and Description of the policy.
Configuration Tab
Let’s review the configuration settings below:
- Backup Directory: You have four options available for this setting.
- Disabled – Password will not be backed up
- Backup the password to Azure AD only
- Backup the password to the Active directory only
- Not Configured
- Password Age Days: Enable this setting and set it to a value between 7 and 365 days. If you do not enable this setting, it will default to 30 days.
- Administrator Account Name: Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by a well-known SID (even if renamed).
To create a local admin account using Intune, You can follow the guide using the link: How To Create A Local Admin Account Using Intune or Create A Local Admin Using Intune And Powershell.
Create local admin accounts
- Password Complexity: Recommended setting is Large letters + small letters + numbers + special characters (improved readability).
- Password Length: Configure the length of the password. The minimum value is 8, and the Maximum value is 64. If you do not enable this setting, the Default value of 14 characters is used.
- Post Authentication Actions: If you want to rotate the local admin password after every use, select one option from the dropdown. If you use this option, make sure you use it along with the Post Authentication Reset delay to provide enough time for Helpdesk members to complete the troubleshooting before any Post-Authentication action is taken as per configuration. If you do not configure this setting, default Reset password + log off is selected.
- Reset password: Every time someone authenticates using the local admin account, its password is reset, and a new password is backed up to Azure AD.
- Reset password and log off: Every time someone authenticates using the local admin account, its password is reset, and a new password is backed up to Azure AD + log off action will occur to avoid any further misuse of the local admin password.
- Reset password and reboot: Every time someone authenticates using the local admin account, its password is reset, and a new password is backed up to Azure AD + reboot device action will occur to avoid any further misuse of the local admin password.
| Post Authentication Actions |
|---|
| Not Configured |
| Reset password: upon expiry of the grace period, the managed account password will be reset. |
| Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
- Post Authentication Delay: If you do not configure this option, it is set to 24 hours by default. Use this setting to specify the time to wait before taking post-authentication actions. If you want to disable them, set the Post Authentication Delay value to 0. The minimum value is 0, and the Maximum value is 24 for this setting.
- Assignments: Click Add groups and select the Entra security group containing Windows 10/11 devices.
- Review + create: Review the deployment and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Locating LAPS Settings in the Registry
After Windows LAPS policy is successfully deployed to the target devices, it will create LAPS registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies, and the registry entries will align with the policy settings configured in Intune.
Please note Windows LAPS uses a background task that starts every hour to check if the password is expired or not. If its expired, it will then reset the password and update the new password to Azure AD or as per the Backup Directory LAPS configuration.
Note
You’ll find that Intune has created the following registry entries as per the LAPS Configuration.
- AdministratorAccountName: cloudinfraadmin
- BackupDirectory: 1
- PasswordAgeDays: 7
- PasswordComplexity: 4
- PasswordLength: 19
- PostAuthenticationResetDelay: 0
Retrieve Windows LAPS Managed Local Admin Password
Now that we manage our custom local administrator cloudinfraadmin using Windows LAPS, its password is backed up in Entra ID. The helpdesk or any IT administrator may need this password from time to time for troubleshooting purposes
But how can you retrieve the password from Entra ID? There are three methods for retrieving the password of a managed local administrator account.
- Using Intune admin center.
- Using Entra admin center.
- Using Powershell.
Let’s Explore both these methods:
1. Retrieve Managed Local admin password from Intune admin center
To retrieve the managed local admin password from the Intune admin center, follow the below steps:
- Sign in to the Intune admin center > Devices > All devices.
- Click on the device that is targeted by the Windows LAPS policy.
- On the left-hand side, under Monitor, find the Local admin password option.
- Then click on Show local administrator password.
- You can click on Show to check the password in plain text.
2. Retrieve Managed Local admin password from Entra admin center
You can also use the Entra admin center if you prefer not to log in to the Intune admin center to retrieve the local admin password. Please follow the steps below for this:
- Sign in to the Entra admin center > Devices > All devices.
- To show the password, click on the Local administrator password recovery option on the left-hand side, or you can click on the specific device and then find the Local administrator password recovery option there as well.
3. Retrieve Managed Local admin password using Powershell
Another method to retrieve the password of a local admin account is by using PowerShell. You can utilize the Get-LapsAADPassword PowerShell cmdlet by first connecting to Graph. This method also requires an Entra App registration and permission to retrieve passwords.
Refer to this link: Manage Windows LAPS Using PowerShell for a step-by-step guide on connecting and managing Windows LAPS using PowerShell and retrieving local admin passwords for any device.
Find Windows LAPS Events in the Event Viewer
All Windows LAPS operations are monitored, and events are stored in the Windows Event Log. You can find these events in the dedicated LAPS folder containing all the relevant information.
- Event log location: Applications and Services Logs > Microsoft > Windows > LAPS > Operational.
- Event ID 10003: Background policy processing start log (Log: LAPS policy processing is now starting.)
- Event ID 10004: LAPS policy processing success. (Log: LAPS policy processing succeeded.)
- Event ID 10005: Laps policy processing failed. Error code 80070032.
- Event ID 10022: Information about current LAPS policy.
Manage Windows LAPS using Powershell
You can also manage Windows LAPS using PowerShell, which allows you to check device information, view password expiry dates, and even access the password of the managed local administrator account in plain text.
For more information on managing Windows LAPS using PowerShell, please refer to this step-by-step guide: Manage Windows LAPS Using Powershell.
Rotate Local admin password using Windows LAPS
Since the local admin user account has full control over your device, its password must be strong and regularly rotated or changed. This practice adds an extra layer of security, making it more challenging for unauthorized users to access the device.
To rotate the local admin user account password, follow this guide: 4 Ways to Rotate Local Admin Password Using Intune.
Permission Required to Access Local Admin Password in Intune
If you’re unable to access the Local Admin Password option for a device on the Intune admin center because it’s grayed, you have two options:
- You can grant permission to a user to Rotate Local Admin Password from the Intune admin center.
- Create a custom Entra ID role that allows you to view and retrieve Local Admin Passwords for devices.
1. Rotate local Admin password Permission
To assign Rotate local Admin password permission to any user, Please follow the below steps:
- Sign in to the Intune admin center > Tenant Administration > Roles
- Click on + Create to create a new custom Intune role.
- Provide a Name and Description of the custom role. For example:
- Name: Rotate local administrator password.
- Description: This role will enable the rotation of the local admin password.
- In the Permissions tab, set up the following permissions:
- Managed Devices: Read
- Organization: Read
- Rotate Local admin password: Yes
- After creating this role, you can locate it under All roles. Click on it to open, and then select Assignments under Manage. Click on + Assign to assign this role to users or administrators.
2. Create a Custom Entra ID role
The built-in Entra ID roles, including Cloud Device Administrator, Intune Administrator, and Global Administrator, automatically grant the device.LocalCredentials.Read.All permission. If a user is a member of any of these built-in roles, they can manage the local administrator password for any device.
If a user isn’t a member of any of these built-in roles but still needs to view the local admin password of devices, you must create a Custom Entra ID role and assign the following permissions to this role.
- microsoft.directory/deviceLocalCredentials/password/read
- microsoft.directory/deviceLocalCredentials/standard/read
Step to Create a Custom Entra ID role
- Sign in to the Entra admin center >Roles & admins > All roles.
- Click on + New custom role.
- Provide a Name and Description and Keep Baseline permissions as Start from scratch.
- Under the Permissions tab, select two permissions below:
- microsoft.directory/deviceLocalCredentials/password/read
- microsoft.directory/deviceLocalCredentials/standard/read
Next, create a Custom Entra role. Click on the Custom role, and then add either Eligible assignments or Active assignments to grant users access to retrieve the local admin password of Intune-managed devices.
Conclusion
In this blog post, we’ve explored the implementation of Windows LAPS on Entra ID devices via Intune. With it, you can securely store the Local admin password in Entra ID and configure automatic rotation.
Furthermore, you can control who can access the password through Azure role-based access control. Only Global Administrator, Cloud Device Administrator, and Intune Administrator members can retrieve the clear-text password by default.
To have a custom local admin account, you point to using OMA-URI in another post.
Wouldn’t the OMA-URI override the password set by LAPS?
Or am I missing something?
@Dave – It may override the password set in OMA-URI. I have not tested that scenario. But if you want to create a local user account without defining any password then you could use Powershell scripts to create a local user account and add it to Administrators group. I have written another blog post on this which shows how to create a local user account without setting any password. Her’s the blog post link:
https://cloudinfra.net/create-a-local-admin-using-intune-and-powershell/
Hi,
What happens in the background when you ‘Enable Azure AD Local Administrator Password Solution’ under device settings? I would like to test this for a group before turning it on globally – im going to use intune to push policy for it. I suspect that enabling this under device settings just turns on the feature in Azure, but if you don’t have any policies in intune, nothing happens with the end users. is it true?
Thanks.
Hi Erik, I don’t think anything actually happens on the target device until you create LAPS policy and target to the devices. This is just to enable the feature on the tenant level so that you can create the policy in Intune.
Hello! After setting up Windows LAPS in Intune for AADJ devices and creating an accompanying policy to enable the built-in Administrator account, I’m now getting an error where the UAC prompt says “the user’s password must be changed before logging on the first time.” The event log shows no errors and the following is the policy shown in Event 10022, LAPS:
Password age in days: 7
Password complexity: 4
Password length: 14
Post authentication grace period (hours): 24
Post authentication actions: 0x3
Do you have a solution for an Azure AD registered device to modify the password of a local admin account created via an OMA-URI?
Good afternoon, thanks for sharing this guide. It works very well. However, despite the fact that the new local account gets created using Custom OMA-URI settings, the report returns only errors. Does the same happens to you? Many thanks
Yes, That’s a known issue.