LAPS is one of those essential tools that really proves its worth during critical moments. We saw this during the December 2023 Crowdstrike outage - while IT Solver and our customers weren't affected, I read about many IT admins who used LAPS to recover access to their machines when the CS agent was blocking remote management tools.
Beyond emergency scenarios like that, LAPS solves that classic headache of local admin password management. Instead of using the same password everywhere (we've all inherited environments like that), or trying to track hundreds of different passwords, LAPS automatically manages unique passwords for each device and rotates them regularly. When you need to get into a machine, you just pull the current password from Intune or Entra ID. No more password spreadsheets, no more calling the previous admin asking for "that one password they used," and no worry about an old admin password being used to compromise your network.
While by default Entra ID adds Global Administrators as local admins during device join (under Entra Admin > Devices > All Devices > Device Settings), following security best practices means your daily driver account should have standard user permissions only. LAPS gives you that secure separation - use your regular account for daily work, and only elevate with the LAPS password when absolutely necessary. It's one of those tools that once you set it up, you wonder how you managed without it.
Prerequisites
- Microsoft Intune Plan 1 subscription (minimum)
- Microsoft Entra ID (Azure AD) subscription (free tier works)
- Supported Windows versions:
- Windows 11 22H2/21H2 (Pro, EDU, Enterprise) - April 11, 2023 Update or later
- Windows 10 (Pro, EDU, Enterprise) - April 11, 2023 Update or later
- Windows Server 2022/2019 - April 11, 2023 Update or later
Step 1: Enable LAPS in Microsoft Entra ID
- Go to Microsoft Entra admin center (https://entra.microsoft.com/)
- Navigate to Identity > Devices > All devices > Device settings
- Under Local administrator settings, select Yes to
"Enable Microsoft Entra ID Local Administrator Password Solution (LAPS)"
Step 2: Enable the Local Administrator Account
- Go to Microsoft Intune admin center (https://intune.microsoft.com/)
- Navigate to Devices > Configuration profiles
- Click + Create Profile
- For Name, enter:
Enable Local Administrator Account
- For Description, enter:
This configuration profile will be used to enable the local administrator account
- Select:
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Click Create
- Click + Add settings
- Search for "Local Policies Security Options"
- Select Accounts: Administrator Account Status
- Set it to Enable
- Click Next
- Under Assignments, select All devices (or your desired group)
- Click Next and then Create
Step 3: Create LAPS Policy
- Go to Microsoft Intune admin center
- Navigate to Endpoint Security > Account Protection
- Click + Create Policy
- Select:
- Platform: Windows
- Profile: Local admin password solution (Windows LAPS)
- For Name, enter:
Configure Windows LAPS Policy
- For Description, enter:
This policy will be used to configure Windows LAPS
- Select:
- Platform: Windows 10 and later
- Profile: Local admin password solution (Windows LAPS)
- Click Create
- Configure these settings (all have defaults, adjust based on your security requirements):
- Backup Directory: Select "Backup the password to Azure AD only"
Controls where LAPS stores passwords. Options are: Disabled (0), Azure AD only (1), or Active Directory only (2). Most cloud-first organizations use Azure AD. - Password Age Days: 30
How often the password rotates. Min 7 days for Azure AD, 1 day for on-prem AD. Max 365 days. Consider your security requirements - shorter rotation means better security but more password changes to manage. - Administrator Account Name: [leave blank to use built-in administrator]
Specifies which local admin account to manage. Leave blank to manage the built-in admin (recommended). If you specify a custom account, it must already exist - LAPS won't create it. - Password Complexity: Select "Large letters + small letters + numbers + special characters"
Defines password requirements. Options range from just uppercase letters (1) to full complexity (4). Default is maximum complexity (4), which satisfies most security policies. - Password Length: 14
Password length between 8-64 characters. Default is 14. Longer passwords are more secure but harder to type when needed. Consider your security vs. usability needs. - Post Authentication Actions: "Reset password and logoff managed account"
What happens after someone uses the admin account. Default is to reset password and log off admin sessions. You might adjust this if you need longer admin sessions for maintenance windows. - Post Authentication Reset Delay: 24
Hours to wait before executing post-auth actions (0-24 hours). Default is 24. Set lower for stricter security, higher if you need longer admin sessions. Setting to 0 disables post-auth actions entirely.
- Backup Directory: Select "Backup the password to Azure AD only"
- Click Next
- Under Assignments, select All devices (or your desired group)
- Click Next then Create
How to View Local Admin Password
Via Microsoft Entra Admin Center:
- Go to Identity > Devices > All devices
- Click Local Administrator password recovery
- Select device and click Show local administrator password
Via Intune Admin Center:
- Go to Devices All devices
- Select the device
- Click Local admin password
- Click Show local administrator password
Bonus: Change Password On-Demand
- In Intune admin center, go to Devices All devices
- Select the device
- Click the ... (three dots)
- Select Rotate local admin password
- Confirm by clicking Yes
Note: Always ensure you have alternate admin access before making LAPS changes.
Comments
0 comments
Please sign in to leave a comment.