Windows LAPS, secure your local admin accounts using Microsoft Intune

LAPS lets you manage local account passwords on Windows devices. The solution allows you to control and securely recover the built-in local administrator password.

Limited until now to On-premise integration, this solution represented an obstacle to the migration of certain customers to full cloud management of their IT equipment.

With the availability of the cloud version of LAPS, customers can now manage securing their Azure AD devices' on-premises Admin accounts and Azure AD Hybrid Join devices from the Microsoft Intune or Microsoft Entra console.

1. Prerequisites for Windows LAPS

  • Microsoft Intune and Azure subscription
  • Windows 10/11 licences, Pro, Enterprise or Education edition
  • Hybrid Azure AD or Azure AD joined devices.
  • An administration account with the necessary rights to perform the different steps.

2. Service activation

We have two possibilities, go through the Azure console or Microsoft Entra. In my case, I opt for activation via Microsoft Entra.
  • Go to Microsoft Entra
  • Select Azure Active Directory \ DevicesAll Devices \ Device settings
  • Local Administrator Settings (Preview), select Yes

3. Windows LAPS Configuration profile, create and deploy

Next step, we must now create the CSP allowing to activate and configure LAPS for all workstations.
  • Go to Microsoft Intune console
  • Click Endpoint Security \ Account Protection
  • Select Create Policy
  • Select : 
    • Platform : Windows 10 and later
    • Profile Type : Local admin password solution (Windows LAPS)
  • Complete the Name field and click Next
  • Configuration settings, Configure according to your needs and click Next
  • Scope tag, click Next
  • Assignments, select a devices group or all devices
  • Review + create, click Create
Find all configuration possibilities at this address: LAPS CSP - Windows Client Management | Microsoft Learn 

4. Retrieve Local Admin password

In Microsoft Entra:
  • Go to Microsoft Entra
  • Select Azure Active Directory \ Devices
  • Click Local administrator password recovery (Preview)
  • Search your computer in the "Search by device name" field

  • Click Show local administrator password.
  • Click Show

In Microsoft Intune:
  • Go to Microsoft Intune console
  • Click Devices \ Windows devices
  • Select your Device
  • Click Local administrator password and select Show local administrator password

  • Click Show

5. Perform password rotation

For perform password rotation, we have two possibilities :

With Microsoft Intune console:
  • Go to Microsoft Intune console
  • Click Devices \ Windows \ Windows devices and select your device
  • Select Rotate local admin password

With Powershell:
  • Open Powershell with admin right
  • Execute this command line: Reset-LapsPassword

6. Audits and reporting

To verify that the configuration has been applied correctly, simply: 
  • Go to Microsoft Entra
  • Select Azure Active Directory \ Devices \ Device logs
  • Filters on 
    • Service: Device Registration Service
    • Activity: Update device local administrator password

Popular posts from this blog

How to implement Applocker with Microsoft Intune

How to reset computer in OOBE mode

Microsoft Intune, Uninstall Win32 app with the company portal