Implement Windows LAPS on Azure AD devices using Intune

Windows Local Administrator Password Solution (LAPS) is a free tool from Microsoft that allows you to manage and rotate local administrator passwords on Windows devices. By default, local administrator passwords on Windows devices are the same across all devices, which can be a security risk.

LAPS solves this problem by automatically generating unique passwords for each device and storing them securely in Azure Active Directory. There is no specific license requirements for using Windows LAPS, its available for any organization with Azure AD Free or higher license.

If you want to Manage Windows LAPS using Powershell then you can check out a step by step guide Manage Windows LAPS Using Powershell.

LAPS is the management of local account passwords on Windo devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With cloud version of LAPS, customers can enable storing and rotation of local admin passwords for both Azure AD and Hybrid Azure AD join devices. 

Official Definiation of Azure AD Local Administrator Password Solution (LAPS)

Prerequisites

Following Operating systems with April 2023 updates or later are supported for implementation of Windows LAPS. There is no agent or MSI deployment of LAPS required. Windows LAPS is built-in below Windows OS versions with April updates and later.

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

Enable Windows LAPS in Azure Active Directory

First step is to enable Azure AD LAPS via Azure Active Directory device setting. Please use below steps to enable LAPS in Azure AD:

  • Login on Azure Active Directory.
  • Go to Devices > Device Settings.
  • Toggle Yes on Enable Azure AD Local Administrator Password Solution (LAPS)
  • Click on Save to save the changes.
Enable windows laps in azure ad

Create Windows LAPS Policy for Windows 10

Now that we have enabled Windows LAPS in Azure AD, we will create a Policy from Microsoft Intune admin center. This policy will define all the settings for windows LAPS and will get applied to the devices.

To create Windows LAPS policy from Microsoft Intune portal, please follow below steps:

  • Login on Microsoft Intune admin center.
  • Go to Endpoint Security > Account Protection
  • Click on + Create Policy.
  • Select Platform as Windows 10 and Later.
  • Select Profile as Local admin password solution (Windows LAPS).
  • Click on Create.
Create Windows LAPS Policy for Windows 10

Basics Tab

On the basics tab, provide a Name and Description of the Windows LAPS Profile.

  • Name: Cloudinfra Windows LAPS
  • Description: This is a Windows LAPS profile for devices which are joined to cloudInfra.net Azure AD Organization and Enrolled into MS Intune.

Configuration Tab

This is where you will define your LAPS policy settings. We will now see all the settings and its recommended configuration:

  • Backup Directory – Backup the password to Azure AD only.
  • Password Age Days – Enable it and set it to a value between 7 and 365 days. If you do not enable this setting, by default it will be set to 30 days.
  • Administrator Account Name – You can manage a custom local admin account you had created already on all your organization devices. If you do not specify any administrator account name, the default built-in local administrator account will be located by well-known SID (even if renamed) and managed by Intune.
If you provide a custom local admin account to manage using Windows LAPS, you must ensure that the account is created already. Windows LAPS doesn’t create the account. To create a local admin account using Intune, You can follow the guide using the link: How To Create A Local Admin Account Using Intune or Create A Local Admin Using Intune And Powershell.
  • Password Complexity – Recommended setting is “Large letters + small letters + numbers + special characters
  • Password Length – Configure a length of the password. Minimum value is 8 and Maximum value is 64. If you do not enable this setting, then the Default value of 14 characters is used. I have used the length 19 for my cloudinfra organization.
  • Post Authentication Actions – If you want to rotate local admin password after every use then you can select one of the options from the Dropdown. If you are using this option, make sure you use it along with Post Authentication Reset delay to provide enough time to Helpdesk member to complete the troubleshooting before any Post Authenticaion action is taken as per configuration. If you do not configure this setting, by default Reset password + log off is selected.
    • Reset password – Every time someone authenticates using local admin account, its password is reset and new password is backed up to Azure AD.
    • Reset password and log off – Every time someone authenticates using local admin account, its password is reset and new password is backed up to Azure AD + log off action will occur to avoid any further misuse of local admin password.
    • Reset password and reboot – Every time someone authenticates using local admin account, its password is reset and new password is backed up to Azure AD + reboot device action will occur to avoid any further misuse of local admin password.
  • Post Authentication Delay – if you do not configure this option, then by default its set to 24 hours. Use this setting to specify the amount of time to wait before taking Post authentication actions. If you want to disable the Post authentication actions then set Post Authentication Delay value to 0. Minimum value is 0 and Maximum value is 24 for this setting.
Windows LAPS policy settings intune

Assignments

Create an Azure AD Security group which contains users or devices where this device configuration profile needs to be deployed. Please note that if you add users into the list, Cloudinfra Windows LAPS policy will be applied on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.

To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.

Review + Create

On Review + Create tab, review the profile and click on Create. As soon as you click on create button, Windows LAPS Cloudinfra Windows LAPS policy will be created and assigned to the targeted devices.

Windows LAPS policy Intune created

Intune Policy Refresh Cycle

The Device will Sync / Check in to start deployment of this profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process. You can also use Powershell to force initiate Intune refresh cycle.

Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the application on a test device then this can speed up your testing and can save some time.

Where to find LAPS settings in Registry

When the profile is successfully deployed to the target devices. It will create a registry key called LAPS under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\ and the registry entries will be created according to policy settings.

Useful Information
Please note Windows LAPS uses a background task that starts every hour to check if the password is expired or not. If its expired, it will then reset the password and update the new passwrod to Azure AD.

You can see that there are following registry entries created by Intune:

  • AdministratorAccountName: cloudinfraadmin
  • BackupDirectory: 1
  • PasswordAgeDays: 7
  • PasswordComplexity: 4
  • PasswordLength: 19
  • PostAuthenticationResetDelay: 0
Windows LAPS intune Registry location

How to retreive LAPS managed Local admin Password

Now that we are managing our custom local administrator cloudinfraadmin using Windows LAPS. Its password is getting backed up in Azure AD. Helpdesk or any IT administrator may require this password time to time for troubleshooting purpose.

But how to retreive the password from Azure AD ? There are two ways to check the password of managed custom local administrator. First and easiest way retreive the password of local admin account from Azure AD device object.

Second option to retrieve password from Azure AD is by using Microsoft Graph. There is a powershell cmdlet available to make it a bit easier which is called Get-LapsAADPassword.

1. Retreive local admin password from Intune Admin Portal

To check the password of local administrator account, you can either go to Intune admin center and then search for the Device object and then check the password. Let’s check the steps:

  • Login on Microsoft Intune admin center.
  • Go to Devices > All devices.
  • Click on the device which is targeted by the Windows LAPS policy.
  • On the left hand side under Monitor find Local admin password option.
  • Then click on Show local administrator password.
Retreive local admin password from Intune Admin Portal

You can click on Show to check the password in plain-text.

Show Administrator password windows laps intune

2. Retreive local admin password from Microsoft Entra portal

If you do not want to login on Intune admin center to retreive the local admin password. You can also use Microsoft Entra admin center as well. Please follow below steps for this:

  • Login on Microsoft Entra admin center.
  • Go to Devices > All devices.
  • Click on “Local administrator password recovery (Preview)” option on the left hand side or you can also click on the specific device and then find the “Local administrator password recovery (Preview)” option there as well to show the password.

3. Retreive local admin password using Powershell

You can also retrieve the password of a local admin account using powershell. You can use Get-LapsAADPassword powershell cmdlet by first connecting to Graph. You also require an Azure AD app and provide necessary permissions to the app for retreiving the password.

For step by step guide on how to connect to windows laps using powershell and manage. Also how to retreive local admin password of any device using powershell, you can check the step by step guide using the link: Manage Windows LAPS Using Powershell.

How to find LAPS events in Event log on devices

All Windows LAPS operations are tracked and events are stored in windows event log. There is a dedicated LAPS folder which provides all related information.

Event log location: Applications and Services Logs > Microsoft > Windows > LAPS > Operational

  • Event ID 10003 : Background policy processing start log (Log: LAPS policy processing is now starting.)
  • Event ID 10004 : LAPS policy processing success. (Log: LAPS policy processing succeeded.)
  • Event ID 10005 : Laps policy processing failed. Error code 80070032.
  • Event ID 10022: Information about current LAPS policy.
How to find LAPS events in Event log on devices

How to rotate Local admin password using Windows LAPS

As we know local admin user account will have full control of your device, therefore its password must be strong and rotated / changed regularly so that it will make it difficult to gain access to the device by an unauthorized user.

To rotate local admin user account password, I have written a blog post which provides details about different ways you to rotate local admin password: 4 ways to rotate Local Admin Password using Intune.

How to manage Windows LAPS using Powershell

You can also manage Windows LAPS using powershell which includes checking the device information, password expiry date and also viewing the password of the managed local administrator account in plain-text.

If you want to Manage Windows LAPS using Powershell then you can check out a step by step guide Manage Windows LAPS Using Powershell.

Conclusion

In this blog post, we have seen how to implement Windows LAPS on Azure AD devices via Intune. Please note that at the time of writing this blog post, this feature is still in public preview. You can easily store Local admin password to Azure AD and rotate it as per your configuration automatically.

You can also control who can see the password using Azure role based access control. By default, only members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles can retrieve the clear-text password.

2 thoughts on “Implement Windows LAPS on Azure AD devices using Intune”

  1. To have a custom local admin account, you point to using OMA-URI in another post.
    Wouldn’t the OMA-URI override the password set by LAPS?

    Or am I missing something?

    Reply

Leave a Comment