Skip to main content

How to Enable LAPS for Intune-Managed Devices

Angus
Updated

This article provides a step-by-step guide on enabling the Local Administrator Password Solution (LAPS) for devices managed by Microsoft Intune.

Overview

The Local Administrator Password Solution (LAPS) is a feature that helps manage and secure local administrator passwords for devices. When integrated with Microsoft Intune, LAPS can automatically rotate and back up these passwords to Azure Active Directory (Azure AD), enhancing security and compliance for Intune-managed devices.

Prerequisites

  • Operating System: Devices must be running Windows 10 version 20H2 or later, Windows 11 version 21H2 or later, or Windows Server 2019 or later.
  • Updates: Devices must have the April 11, 2023 security updates installed.

Steps to Enable LAPS

  1. Verify Device Requirements

    Ensure that your devices meet the prerequisites listed above. This includes checking the operating system version and confirming that the necessary security updates are installed.

    Note: If your devices do not meet these requirements, you may need to update them before proceeding.

  2. Enable the Built-in Administrator Account

    LAPS requires an existing local administrator account to manage. The simplest approach is to use the built-in administrator account. Follow these steps to enable it via an Intune policy:

    1. Navigate to the Microsoft Intune admin center.
    2. Go to Devices > Configuration profiles > Create profile.
    3. Select Windows 10 and later as the platform.
    4. Choose Settings catalog as the profile type.
    5. In the configuration settings, search for "Accounts: Administrator account status" under Local Policies Security Options.
    6. Set this setting to Enabled.
    7. Assign this policy to your target device group (e.g., "All devices").

    Note: Enabling the built-in administrator account is necessary for LAPS to manage its password.

  3. Configure the LAPS Policy

    Set up LAPS to manage and back up the local administrator password to Azure AD:

    1. In the Intune admin center, go to Endpoint security > Account protection > Create policy.
    2. Select Windows 10 and later as the platform.
    3. Choose Local admin password solution (Windows LAPS) as the profile.
    4. Set Backup Directory to Backup the password to Azure AD only.
    5. Leave other settings at their defaults unless specific requirements dictate otherwise.
    6. Assign this policy to the same target device group as the previous policy.
    Screenshot of Microsoft Intune admin center showing the 'Create Policy' page with LAPS configuration settings, including Backup Directory, Password Age Days, Administrator Account Name, Password Complexity, Password Length, Post Authentication Actions, and Post Authentication Reset Delay.

    Note: The default settings for LAPS include a 30-day password rotation and a 14-character password length, which are suitable for most environments.

Additional Information

  • As of 2025, LAPS is likely out of preview, so manual enabling in Azure AD Device Settings is typically unnecessary.
  • Using the built-in administrator account avoids the need for scripting or creating custom accounts, streamlining the setup process.

Was this helpful?

If you've followed this guide, we'd love to hear about your experience. Please leave a comment below to share whether this guide helped you achieve your goal. If you found an alternative approach that worked, we encourage you to share that as well. Your feedback helps us improve our documentation and assists others in the community.

Need Further Assistance?

If you need additional support or would like personalized guidance, we're here to help. Check out our dedicated support plans at IT Solver Support Plans for expert assistance tailored to your needs.

Related articles

Comments

0 comments

Please sign in to leave a comment.