This article was translated from German with the help of Claude.
What is LAPS? #
“LAPS” stands for “Local Administrator Password Solution”. It is a tool developed by Microsoft to manage local administrator passwords on Windows computers. The idea behind LAPS is to ensure that a unique, randomly generated administrator password is used on every Windows computer in a network. This reduces the risk of attackers gaining access to the entire network if they obtain a single administrator password.
LAPS works by randomly generating and storing the local administrator password on each computer. The stored passwords are saved in an Active Directory attribute field that only authorized users or groups can access. Since October, LAPS has also been available in Intune (GA). Here, the generated passwords are stored in the properties of the device object and can be viewed by various roles, such as helpdesk. The password changes after a defined period following usage.
By using LAPS, organizations can improve their network security by ensuring that local administrator passwords are regularly changed and securely stored.
Why LAPS? #
Let’s configure LAPS #
Enable LAPS in Entra #
First, we need to enable LAPS in our tenant. To do this, navigate to Entra and go to Devices settings. Here, set the “Enable Microsoft Entra Local Administrator Password Solution (LAPS)” option to “Yes”. After a short time, LAPS will be available in Intune.
Configure the LAPS policy #
As already mentioned, LAPS is a configuration in Intune. You can find it under Intune admin center → Endpoint security → Account protection.
Here we create a new LAPS policy. First, we need to give our policy a name and ideally a description.
Now we get to the actual configuration. At first glance, we see six items to configure:
Backup Directory #
First, we need to define where the local admin password should be stored. In addition to Entra, we also have the option of the local Active Directory or not storing it at all. Since I want to demonstrate LAPS in Intune in this post, we configure the option “Backup the password to Azure AD only”.
Additionally, under this item we can set “Password Age Days”. This setting has a minimum allowed value of 7 days and a maximum allowed value of 365 days. If not configured, the default is 30 days.
Administrator Account Name #
This setting is used to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account is found by its well-known SID (even if it has been renamed). If specified, the password of the specified account will be managed. (Create a local admin account → here) In my case, it is “LocAdmin”.
Attention: This setting does not create a new local admin account on the client. We need to create this via Intune first. If the account specified here is not available on the client, LAPS cannot be applied.
Password Complexity #
The complexity of the generated password can be configured as follows. In my example, I chose uppercase and lowercase letters and numbers. You need to decide for yourself what makes sense for your environment.
Password Length #
As the name suggests, we can configure the length of the managed local administrator account password here. If not specified, this setting defaults to 14 characters. This setting has a minimum allowed value of 8 characters and a maximum allowed value of 64 characters.
Note: The user must manually enter the password on their client in the User Access Control (UAC). Copy & paste is not possible there. For usability reasons, it should therefore not be too long or too complex.
Post Authentication Actions #
This is where the real magic of LAPS happens. We configure what should happen after the password has been used and the grace period has expired.
The following options are available:
| Value | Description |
|---|---|
| 1 | Reset password: After the grace period expires, the managed account password is reset |
| 2 | Reset password and log off the managed account: After the grace period expires, the managed account password is reset and all interactive logon sessions with the managed account are terminated. |
| 3 (Default) | Reset password and restart: After the grace period expires, the managed account password is reset and the managed device is immediately restarted. |
In my example, I use option 2.
Post Authentication Reset Delays #
Here we can specify the grace period, i.e., how long (in hours) to wait after an authentication before the password is reset. If not specified, this setting defaults to 24 hours. This setting has a minimum allowed value of 0 hours and a maximum allowed value of 24 hours.
Finally, you need to assign your configuration to the appropriate groups. The LAPS policies are now applied and the password is made available in the device profile.
Retrieve the LAPS password #
You can now retrieve the LAPS password from the properties of your device. There are several ways to do this: either via Entra in the Device Overview, in the Entra Device Object, or of course in Intune.
You’ll find it under the “Local Admin Password” entry. First, you’ll see when the last password rotation occurred and when the next one is scheduled. Clicking the link will display the local admin account along with its password.
Manual password rotation #
The password is rotated in the cycle you defined in the policy. In the Intune Admin Center, we can also trigger the rotation manually. You can initiate this in the device object from the action bar.
Please note that the password is generated locally on the client and therefore takes some time.
Required admin roles #
To view or change the password for a device’s local administrator account using the Intune administration center, your account must have the following Intune permissions assigned:
- Managed devices: Read
- Organization: Read
- Remote tasks: Rotate Local Admin Password
To view password details, your account must have one of the following Microsoft Entra permissions:
microsoft.directory/deviceLocalCredentials/password/readto read LAPS metadata and passwords.microsoft.directory/deviceLocalCredentials/standard/readto read LAPS metadata excluding passwords.
Retrieve LAPS password with PowerShell and Graph #
To reduce manual effort, you should automate the LAPS password process. I will demonstrate one approach here on my blog. If you have already automated existing processes, here is the corresponding cmdlet. You first need to authenticate with PowerShell to Microsoft Graph.
#Connect to Microsoft Graph
Connect-Mggraph -Scope DeviceLocalCredential.Read.All, Device.Read.All
#Define your device name here
Param
(
[string]$DeviceID
)
# Get the LAPS password
Get-LapsAADPassword -DeviceIds $DeviceID -IncludePasswords -AsPlainTextThe user’s perspective and discussion #
Check out our video on #DuRM365 for more details!