Windows Local Administrator Password Solution (LAPS) helps to manage and protect built-in administrator account and custom administrator account on Windows devices.
To get started on Widows LAPS, I have created a comprehensive guide on Implementation of Windows LAPS. Refer to the link: LAPS with Intune: A Comprehensive Guide for more details.
In Windows LAPS policy, you can configure to backup the local account password to Active directory or Entra ID. You also have the option not to backup the password and keep it on the local device.
3 ways of Retrieving Password of Local Admin Account
- Using Intune admin center
- Using Entra admin center
- Using PowerShell
In this blog post, I’ll demonstrate how to retrieve the password of a managed local admin user account using PowerShell. Please refer to Implement LAPS with Intune: A Comprehensive Guide link which provides the steps for retrieving password of local admin account using Intune admin center (option 1) and from Entra ID (option 2).
Contents
Step 1: Create an App registration in Entra admin center
Create an application in Entra ID, which will be used to access and read the managed local admin account password stored in Entra ID. You must grant below permissions to the app to read the device object details.
- Device.Read.All
- Either DeviceLocalCredential.Read.All or DeviceLocalCredential.ReadBasic.All.
To retrieve the password, you’ll need DeviceLocalCredential.Read.All permission to the app. Simply granting the DeviceLocalCredential.ReadBasic.All permission will not allow you to view the password.
With the DeviceLocalCredential.ReadBasic.All permission, you can only check details such as when the password was backed up to Entra ID and its expiration time.
Let’s check the steps to create an app registration for Entra ID.
- Sign in to the Entra admin center > Applications > App registrations.
- Click on + New registration.
- Provide the Name of the App as WindowsLAPS_app (you can provide any other app name as you like)
- Click on Register.
Step 2: Assign permissions to the Entra App
After registering the app, the next step is to grant the required permissions to read device details, including password information. To provide these permissions, please follow the steps below:
- Open the Entra ID app WindowsLAPS_app.
- Go to API Permissions under Manage.
- Then click on + Add a permission.
- Under Microsoft APIs > Click on Microsoft Graph.
- Under Application permissions. Search for
Device.Read.Alland select this permission. - Next, perform another search for either DeviceLocalCredential.Read.All, and select this permission.
- Make sure to grant admin consent for the assigned API permissions to this app. The status should be displayed in green with a checkmark once admin consent has been granted.
- Open the App WindowsLAPS_app and then click on Authentication under Manage.
- Click on + Add a platform and then Add Mobile and Desktop applications.
- Add Custom Redirect URIs as http://localhost. Select the checkbox for https://login.microsoftonline.com/common/oauth2/nativeclient, and click Configure.
- Under the Advanced settings. Enable the setting Allow public client flows and click the Save button.
Step 3: Retrieve Managed Local Administrator Password
First, we must connect to Microsoft Graph using the application registration we created in the previous step. Let’s go through the necessary steps.
1. Install the Microsoft Graph PowerShell module
Install MS Graph PS module
Install-Module Microsoft.Graph -Scope Currentuser
2. Connect to Microsoft Graph
We will utilize the Connect-MgGraph PowerShell cmdlet for this purpose. Before proceeding with the command, ensure you have your organization’s tenant ID and client ID information. Replace these details in the Connect-MgGraph command provided in the following section.
- To find the Client ID information, click on the App, go to the Overview tab, and copy the Application (client) ID.
- To find the Tenant ID information, log in to the Entra admin center > Identity > Overview. Copy it and paste it into a notepad.
Connect-MgGraph
Connect-MgGraph -Environment Global -TenantId 97659d97-8dab-4122-80bd-caadf41b64d7 -ClientId baa1ea7d-9388-43d5-b28f-024ca2bde5fc
- You will receive a pop-up asking you to provide your sign-in information to connect. You may also encounter the screen asking you to accept the requested permissions. Select the checkbox Consent on behalf of your organization, then click Accept to proceed.
- Connected to Microsoft Graph successfully.
Step 4: Use Get-LapsAADPassword
To retrieve the local admin user account password, use the Get-LapsAADPassword cmdlet. In the DeviceIds parameter, provide the device name, which you can find in the Intune admin center.
Get-LapsAADPassword
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW
Using the Get-LapsAADPassword cmdlet without any parameters apart from DeviceIds will only provide basic information about the device. If you want to retrieve the managed local admin account password, you must include two more parameters: -IncludePasswords and -AsPlainText.
Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW -IncludePasswords -AsPlainText
Reset Managed Local Administrator password
To reset a LAPS-managed local admin password using PowerShell, you can log in to the device, connect to Microsoft Graph, and use the Reset-LapsPassword cmdlet.
Conclusion
In this blog post, we have explored how to manage the Windows LAPS local admin account using PowerShell. You can remotely retrieve the managed local admin user account password by connecting to Microsoft Graph, eliminating the need to log in to the Microsoft Intune admin center or Microsoft Entra portal.
Is there a way by which we can retrieve LAPS password for device which is deleted from Entra?