Windows Local Administrator Password Solution (LAPS) is a free tool from Microsoft that allows you to manage and rotate local administrator passwords on Windows devices.
Windows LAPS automatically generates unique passwords for each device and securely stores them in Azure Active Directory. Windows LAPS doesn’t entail specific licensing requirements; it’s available for any organization with an Entra ID Free or higher license.
Step-by-Step guide
Table of Contents
Prerequisites
Starting from April 2023, updates or later, the following operating systems are supported for implementing Windows LAPS. There’s no need for an agent or MSI deployment of LAPS, as it is built into the Windows OS versions listed below with April updates and later.
- Windows 11 22H2 – April 11, 2023 Update
- Windows 11 21H2 – April 11, 2023 Update
- Windows 10 – April 11, 2023 Update
- Windows Server 2022 – April 11, 2023 Update
- Windows Server 2019 – April 11, 2023 Update
Step 1 – Enable Windows LAPS in Entra Admin Center
To enable Windows LAPS, follow the below steps:
- Sign in to the Entra admin center.
- Go to Devices > All devices > Device Settings.
- Toggle Yes on Enable Microsoft Entra Local Administrator Password Solution (LAPS).
- Click on Save to save the changes.
Step 2 – Create Windows LAPS Policy
Now that we’ve enabled Windows LAPS in Entra ID, the next step is to create a policy from the Intune admin center. This policy will define all the settings for Windows LAPS and will be applied to the devices.
- Sign in to the Intune admin center.
- Go to Endpoint Security > Account Protection.
- Click on + Create Policy.
- Select Platform as Windows 10 and Later.
- Select Profile as the Local admin password solution (Windows LAPS).
- Click on Create.
Basics Tab
- Name: Provide a Name of the Policy.
- Description: Provide a useful description.
Configuration Tab
Let’s review the configuration settings below:
- Backup Directory – You have 4 options available for this setting.
- Disabled – Password will not be backed up
- Backup the password to Azure AD only
- Backup the password to the Active directory only
- Not Configured
- Password Age Days – Enable this setting and set it to a value between 7 and 365 days. If you do not enable this setting, it will default to 30 days.
- Administrator Account Name – Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by a well-known SID (even if renamed).
To create a local admin account using Intune, You can follow the guide using the link: How To Create A Local Admin Account Using Intune or Create A Local Admin Using Intune And Powershell.
Create local admin accounts
- Password Complexity – Recommended setting is “Large letters + small letters + numbers + special characters“
- Password Length – Configure the length of the password. The minimum value is 8, and the Maximum value is 64. If you do not enable this setting, the Default value of 14 characters is used.
- Post Authentication Actions – If you want to rotate the local admin password after every use, select one option from the dropdown. If you use this option, make sure you use it along with the Post Authentication Reset delay to provide enough time for Helpdesk members to complete the troubleshooting before any Post-Authentication action is taken as per configuration. If you do not configure this setting, default Reset password + log off is selected.
- Reset password – Every time someone authenticates using the local admin account, its password is reset, and a new password is backed up to Azure AD.
- Reset password and log off – Every time someone authenticates using the local admin account, its password is reset, and a new password is backed up to Azure AD + log off action will occur to avoid any further misuse of the local admin password.
- Reset password and reboot – Every time someone authenticates using the local admin account, its password is reset, and a new password is backed up to Azure AD + reboot device action will occur to avoid any further misuse of the local admin password.
- Post Authentication Delay – If you do not configure this option, it is set to 24 hours by default. Use this setting to specify the time to wait before taking post-authentication actions. If you want to disable them, set the Post Authentication Delay value to 0. The minimum value is 0, and the Maximum value is 24 for this setting.
Assignments
Click Add groups and select the Entra security group containing Windows 10/11 devices. You should add devices to the group and target them for a controlled deployment. Once testing proves successful, you can expand the deployment by including additional devices in the group.
Review + Create
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Locating LAPS Settings in the Registry
After the profile is successfully deployed to the target devices, it will create a ‘LAPS‘ registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies, and the registry entries will align with the policy settings.
Please note Windows LAPS uses a background task that starts every hour to check if the password is expired or not. If its expired, it will then reset the password and update the new password to Azure AD or as per the Backup Directory LAPS configuration.
Note
You’ll find that Intune has created the following registry entries as per the LAPS Configuration.
- AdministratorAccountName: cloudinfraadmin
- BackupDirectory: 1
- PasswordAgeDays: 7
- PasswordComplexity: 4
- PasswordLength: 19
- PostAuthenticationResetDelay: 0
More Information
How to retreive LAPS managed Local admin Password?
Now that we manage our custom local administrator cloudinfraadmin using Windows LAPS, its password is backed up in Entra ID. The helpdesk or any IT administrator may need this password from time to time for troubleshooting purposes
But how can you retrieve the password from Entra ID? There are three methods for retrieving the password of a managed local administrator account.
- Using Intune admin center.
- Using Entra admin center.
- Using Powershell.
Let’s Explore both these methods:
1. Retrieve the Managed Local admin password from Intune admin center
To retrieve the managed local admin password from the Intune admin center, follow the below steps:
- Sign in to the Intune admin center.
- Go to Devices > All devices.
- Click on the device that is targeted by the Windows LAPS policy.
- On the left-hand side, under Monitor, find the Local admin password option
- Then click on Show local administrator password.
- You can click on Show to check the password in plain text.
2. Retrieve the Managed Local admin password from Entra admin center
You can also use the Entra admin center if you prefer not to log in to the Intune admin center to retrieve the local admin password. Please follow the steps below for this:
- Sign in to the Entra admin center.
- Go to Devices > All devices
- To show the password, click on the Local administrator password recovery option on the left-hand side, or you can click on the specific device and then find the Local administrator password recovery option there as well.
3. Retrieve the Managed Local admin password with Powershell
Another method to retrieve the password of a local admin account is by using PowerShell. You can utilize the Get-LapsAADPassword PowerShell cmdlet by first connecting to Graph. This method also requires an Entra App registration and permission to retrieve passwords.
Refer to the comprehensive guide provided in this link: Manage Windows LAPS Using PowerShell for a step-by-step guide on connecting to and managing Windows LAPS using PowerShell and retrieving local admin passwords for any device.
How do you find LAPS events in the Event Log on devices?
All Windows LAPS operations are monitored, and events are stored in the Windows Event Log. You can find these events in the dedicated LAPS folder, which contains all the relevant information
Event log location: Applications and Services Logs > Microsoft > Windows > LAPS > Operational.
- Event ID 10003: Background policy processing start log (Log: LAPS policy processing is now starting.)
- Event ID 10004: LAPS policy processing success. (Log: LAPS policy processing succeeded.)
- Event ID 10005: Laps policy processing failed. Error code 80070032.
- Event ID 10022: Information about current LAPS policy.
How do you manage Windows LAPS using Powershell?
You can also manage Windows LAPS using PowerShell, which allows you to check device information, view password expiry dates, and even access the password of the managed local administrator account in plain text.
For more information on managing Windows LAPS using PowerShell, please refer to this step-by-step guide: Manage Windows LAPS Using Powershell.
How do you rotate the Local admin password using Windows LAPS?
Since the local admin user account has full control over your device, its password must be strong and regularly rotated or changed. This practice adds an extra layer of security, making it more challenging for unauthorized users to gain access to the device
To rotate the local admin user account password, follow this guide: 4 Ways to Rotate Local Admin Password Using Intune.
Required Permission to Show Local Admin Password in Intune
If you’re unable to access the Local Admin Password option for a device on the Intune admin center because it’s grayed, you have two options:
- You can grant permission to a user to Rotate Local Admin Password from the Intune admin center.
- Create a custom Entra ID role that allows you to view and retrieve Local Admin Passwords for devices.
1. Rotate local Admin password Permission
To assign Rotate local Admin password permission to any user, Please follow the below steps:
- Sign in to the Intune admin center.
- Click on Tenant Administration > Roles
- Click on + Create to create a new custom Intune role
- Provide a Name and Description of the custom role. For example:
- Name: Rotate local administrator password.
- Description: This role will enable the rotation of the local admin password.
In the Permissions tab, set up the following permissions:
- Managed Devices: Read
- Organization: Read
- Rotate Local admin password: Yes
- After creating this role, you can locate it under All roles. Click on it to open, and then select Assignments under Manage. Click on + Assign to assign this role to users or administrators.
2. Create a Custom Entra ID role
The built-in Entra ID roles, including Cloud Device Administrator, Intune Administrator, and Global Administrator, automatically grant the device.LocalCredentials.Read.All permission. If a user is a member of any of these built-in roles, they will be able to manage the local administrator password for any device.
If a user isn’t a member of any of these built-in roles but still needs to view the local admin password of devices, you must create a Custom Entra ID role and assign the following permissions to this role.
- microsoft.directory/deviceLocalCredentials/password/read
- microsoft.directory/deviceLocalCredentials/standard/read
Step to Create a Custom Entra ID role
- Sign in to the Entra admin center.
- Go to Roles & admins > All roles.
- Click on + New custom role.
- Provide a Name and Description and Keep Baseline permissions as Start from scratch.
- Under the Permissions tab, select two permissions below:
- microsoft.directory/deviceLocalCredentials/password/read
- microsoft.directory/deviceLocalCredentials/standard/read
Next, create a Custom Entra role. Click on the Custom role, and then add either Eligible assignments or Active assignments to grant users access to retrieve the local admin password of Intune-managed devices.
Conclusion
In this blog post, we’ve explored the implementation of Windows LAPS on Entra ID devices via Intune. With it, you can securely store the Local admin password in Entra ID and configure automatic rotation.
Furthermore, you can control who can access the password through Azure role-based access control. Only Global Administrator, Cloud Device Administrator, and Intune Administrator members can retrieve the clear-text password by default.
To have a custom local admin account, you point to using OMA-URI in another post.
Wouldn’t the OMA-URI override the password set by LAPS?
Or am I missing something?
@Dave – It may override the password set in OMA-URI. I have not tested that scenario. But if you want to create a local user account without defining any password then you could use Powershell scripts to create a local user account and add it to Administrators group. I have written another blog post on this which shows how to create a local user account without setting any password. Her’s the blog post link:
https://cloudinfra.net/create-a-local-admin-using-intune-and-powershell/
Hi,
What happens in the background when you ‘Enable Azure AD Local Administrator Password Solution’ under device settings? I would like to test this for a group before turning it on globally – im going to use intune to push policy for it. I suspect that enabling this under device settings just turns on the feature in Azure, but if you don’t have any policies in intune, nothing happens with the end users. is it true?
Thanks.
Hi Erik, I don’t think anything actually happens on the target device until you create LAPS policy and target to the devices. This is just to enable the feature on the tenant level so that you can create the policy in Intune.
Hello! After setting up Windows LAPS in Intune for AADJ devices and creating an accompanying policy to enable the built-in Administrator account, I’m now getting an error where the UAC prompt says “the user’s password must be changed before logging on the first time.” The event log shows no errors and the following is the policy shown in Event 10022, LAPS:
Password age in days: 7
Password complexity: 4
Password length: 14
Post authentication grace period (hours): 24
Post authentication actions: 0x3
Do you have a solution for an Azure AD registered device to modify the password of a local admin account created via an OMA-URI?