Windows Local Administrator Password Solution (LAPS) is a free tool from Microsoft that allows you to manage and rotate local administrator passwords on Windows devices.
Windows LAPS automatically generates unique passwords for each device and securely stores them in Azure Active Directory. The use of Windows LAPS doesn’t entail specific licensing requirements; it’s available for any organization with an Azure AD Free or higher license.
Step-by-Step guide
Table of Contents
Prerequisites
Starting from April 2023 updates or later, the following operating systems are supported for implementing Windows LAPS. There’s no need for an agent or MSI deployment of LAPS, as it is built into the Windows OS versions listed below with April updates and later.
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 – April 11 2023 Update
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
Step 1 – Enable Windows LAPS in Azure Active Directory
To enable Windows LAPS, follow below steps:
- Login on Azure Active Directory
- Go to Devices > Device Settings
- Toggle Yes on Enable Azure AD Local Administrator Password Solution (LAPS)
- Click on Save to save the changes
Step 2 – Create Windows LAPS Policy
Now that we’ve enabled Windows LAPS in Azure AD, the next step is to create a policy from the Microsoft Intune admin center. This policy will define all the settings for Windows LAPS and will be applied to the devices.
- Login on Microsoft Intune admin center
- Go to Endpoint Security > Account Protection
- Click on + Create Policy.
- Select Platform as Windows 10 and Later
- Select Profile as Local admin password solution (Windows LAPS)
- Click on Create
Basics Tab
- Name: Provide a Name of the Policy.
- Description: Provide a useful description.
Configuration Tab
Let’s review the configuration settings below:
- Backup Directory – You have 4 options available for this setting.
- Disabled – Password will not be backed up
- Backup the password to Azure AD only
- Backup the password to the Active directory only
- Not Configured
- Password Age Days – Enable it and set it to a value between 7 and 365 days. If you do not enable this setting, by default it will be set to 30 days.
- Administrator Account Name – Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by a well-known SID (even if renamed).
To create a local admin account using Intune, You can follow the guide using the link: How To Create A Local Admin Account Using Intune or Create A Local Admin Using Intune And Powershell.
Create local admin accounts
- Password Complexity – Recommended setting is “Large letters + small letters + numbers + special characters“
- Password Length – Configure a length of the password. Minimum value is 8 and Maximum value is 64. If you do not enable this setting, then the Default value of 14 characters is used.
- Post Authentication Actions – If you want to rotate the local admin password after every use then you can select one of the options from the dropdown. If you are using this option, make sure you use it along with the Post Authentication Reset delay to provide enough time for Helpdesk members to complete the troubleshooting before any Post Authentication action is taken as per configuration. If you do not configure this setting, by default Reset password + log off is selected.
- Reset password – Every time someone authenticates using the local admin account, its password is reset and a new password is backed up to Azure AD.
- Reset password and log off – Every time someone authenticates using the local admin account, its password is reset and a new password is backed up to Azure AD + log off action will occur to avoid any further misuse of the local admin password.
- Reset password and reboot – Every time someone authenticates using the local admin account, its password is reset and a new password is backed up to Azure AD + reboot device action will occur to avoid any further misuse of the local admin password.
- Post Authentication Delay – if you do not configure this option, then by default its set to 24 hours. Use this setting to specify the amount of time to wait before taking Post authentication actions. If you want to disable the Post authentication actions then set the Post Authentication Delay value to 0. The minimum value is 0 and the Maximum value is 24 for this setting.
Assignments
Click on Add group to add an Azure AD group containing devices. You can also click on Add all devices.
Review + Create
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Locating LAPS Settings in the Registry
After the profile is successfully deployed to the target devices, it will create a ‘LAPS‘ registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies, and the registry entries will align with the policy settings.
Please note Windows LAPS uses a background task that starts every hour to check if the password is expired or not. If its expired, it will then reset the password and update the new password to Azure AD or as per the Backup Directory LAPS configuration.
Note
You’ll find that Intune has created the following registry entries as per the LAPS Configuration.
- AdministratorAccountName: cloudinfraadmin
- BackupDirectory: 1
- PasswordAgeDays: 7
- PasswordComplexity: 4
- PasswordLength: 19
- PostAuthenticationResetDelay: 0
More Information
How to retreive LAPS managed Local admin Password?
Now that we are managing our custom local administrator ‘cloudinfraadmin’ using Windows LAPS, its password is being backed up in Azure AD. The helpdesk or any IT administrator may need this password from time to time for troubleshooting purposes
But how can you retrieve the password from Azure AD? There are three methods for retrieving the password of a managed local administrator account.
- Using Intune admin center
- Using Entra admin center
- Using Powershell
Let’s Explore both these methods:
1. Retrieve the Managed Local admin password from Intune Admin Portal
To retrieve the managed local admin password from Intune admin center, follow below steps:
- Sign in to Microsoft Intune admin center
- Go to Devices > All devices
- Click on the device that is targeted by the Windows LAPS policy
- On the left-hand side under Monitor find the Local admin password option
- Then click on Show local administrator password.
- You can click on Show to check the password in plain text.
2. Retrieve Managed Local admin password from the Entra admin center
If you prefer not to log in to the Intune admin center to retrieve the local admin password, you can also use the Entra admin center. Please follow the steps below for this
- Login on Microsoft Entra admin center
- Go to Devices > All devices
- Click on the “Local administrator password recovery (Preview)” option on the left-hand side or you can also click on the specific device and then find the “Local administrator password recovery (Preview)” option there as well to show the password.
3. Retrieve Managed Local admin password with Powershell
Another method to retrieve the password of a local admin account is by using PowerShell. You can utilize the Get-LapsAADPassword PowerShell cmdlet by first connecting to Graph. This method also requires an Azure AD app and providing the necessary permissions to the app for password retrieval.
For a step-by-step guide on how to connect to Windows LAPS using PowerShell and manage it, as well as retrieve local admin passwords for any device, you can refer to the comprehensive guide provided in this link: Manage Windows LAPS Using PowerShell.
How to find LAPS events in the Event Log on devices?
All Windows LAPS operations are monitored and events are stored in the Windows Event Log. You can find these events in the dedicated LAPS folder, which contains all the relevant information
Event log location: Applications and Services Logs > Microsoft > Windows > LAPS > Operational
- Event ID 10003: Background policy processing start log (Log: LAPS policy processing is now starting.)
- Event ID 10004: LAPS policy processing success. (Log: LAPS policy processing succeeded.)
- Event ID 10005: Laps policy processing failed. Error code 80070032.
- Event ID 10022: Information about current LAPS policy.
How to manage Windows LAPS using Powershell?
You can also manage Windows LAPS using PowerShell, which allows you to check device information, view password expiry dates, and even access the password of the managed local administrator account in plain text.
For more information on how to manage Windows LAPS using PowerShell, please refer to this step-by-step guide: Manage Windows LAPS Using Powershell.
How to rotate Local admin password using Windows LAPS?
Since the local admin user account has full control over your device, it’s essential that its password is both strong and regularly rotated or changed. This practice adds an extra layer of security, making it more challenging for unauthorized users to gain access to the device
To rotate the local admin user account password, you can follow a step-by-step guide: 4 Ways to Rotate Local Admin Password Using Intune.
Required permission to show the Local Admin Password
Required Permission to Show Local Admin Password in Intune
If you’re unable to access the Local Admin Password option for a device on the Intune admin center because it’s grayed, you have two options:
- You can grant a user ‘Rotate Local Admin Password‘ permission from the Intune admin center.
- Create a custom Azure AD role that allows you to view and retrieve Local Admin Passwords for devices.
1. “Rotate local Admin password” Permission
To assign “Rotate local Admin password” permission to any user, Please follow the below steps:
- Login on Microsoft Intune admin center
- Click on Tenant Administration > Roles
- Click on + Create to create a new custom Intune role
- Provide a Name and Description of the custom role. For example Name: Rotate local Administrator password and Description: This role will be able to rotate local admin password.
In the Permissions tab, set up the following permissions:
- Managed Devices: Read
- Organization: Read
- Rotate Local admin password: Yes
- After creating this role, you can locate it under ‘All roles.’ Click on it to open, and then select ‘Assignments‘ under ‘Manage.’ Click on ‘+ Assign‘ to assign this role to users or administrators.
2. Create a Custom Azure AD role
The built-in Azure AD roles, including Cloud Device Administrator, Intune Administrator, and Global Administrator, are automatically granted the ‘device.LocalCredentials.Read.All‘ permission. If a user is a member of any of these built-in roles, they will have the ability to manage the local administrator password for any device.
If a user isn’t a member of any of these built-in roles but still needs to view the local admin password of devices, you must create a Custom Azure AD role and assign the following permissions to this role.
- microsoft.directory/deviceLocalCredentials/password/read
- microsoft.directory/deviceLocalCredentials/standard/read
Step to Create a Custom Azure AD role
- Login on Microsoft Azure Portal
- Go to Azure Active Directory > Roles and administrators
- Click on + New custom role
- Provide a Name and Description and Keep Baseline permissions as “Start from scratch”
- Under Permissions tab select below two permissions:
microsoft.directory/deviceLocalCredentials/password/read
microsoft.directory/deviceLocalCredentials/standard/read
Next, create a Custom Azure AD role. Click on the Custom role, and then add either Eligible assignments or Active assignments to grant users access to retrieve the local admin password of Intune-managed devices.
Conclusion
In this blog post, we’ve explored the implementation of Windows LAPS on Azure AD devices via Intune. With it, you can securely store the Local admin password in Azure AD and configure automatic rotation.
Furthermore, you have control over who can access the password through Azure role-based access control. By default, only members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles can retrieve the clear-text password.
To have a custom local admin account, you point to using OMA-URI in another post.
Wouldn’t the OMA-URI override the password set by LAPS?
Or am I missing something?
@Dave – It may override the password set in OMA-URI. I have not tested that scenario. But if you want to create a local user account without defining any password then you could use Powershell scripts to create a local user account and add it to Administrators group. I have written another blog post on this which shows how to create a local user account without setting any password. Her’s the blog post link:
https://cloudinfra.net/create-a-local-admin-using-intune-and-powershell/
Hi,
What happens in the background when you ‘Enable Azure AD Local Administrator Password Solution’ under device settings? I would like to test this for a group before turning it on globally – im going to use intune to push policy for it. I suspect that enabling this under device settings just turns on the feature in Azure, but if you don’t have any policies in intune, nothing happens with the end users. is it true?
Thanks.
Hi Erik, I don’t think anything actually happens on the target device until you create LAPS policy and target to the devices. This is just to enable the feature on the tenant level so that you can create the policy in Intune.