A local Administrator account is built-in with every Windows machine. This account has full access to the machine, and we cannot delete it. The local admin account is protected with an account password and many organizations manage local admin account passwords using Windows LAPS Management on-premises.
The solution to managing this password in the cloud was not available. Recently, Microsoft came up with a solution to manage local admin account passwords in Microsoft Intune.
Manage LAPS via Microsoft Intune endpoint security policies for account protection
You can use Microsoft Intune endpoint security policies for account protection to manage LAPS on Intune-enrolled devices. Using these policies, you can enforce password requirements for local admin accounts, backup local admin accounts from devices to Azure AD, and rotate the password for local admin accounts on a scheduled basis.
Microsoft Intune supports the below capabilities:
- Set password requirements – You can define password requirements (complexity, length) for the local administrator account.
- Rotate passwords – You can rotate the local admin account passwords on a schedule and, manually rotate the password for a device using device action in Intune portal.
- Backup accounts and passwords – You can back up the account and password in either Azure Active Directory (Azure AD), or your on-premises AD and Passwords are stored using strong encryption.
- Configure post authenticating actions – You can define actions when local admin account password expires. Resetting the new secure password, logging off the account or doing both actions and then powering down the device.
- View account details – Using role based administrative control (RBAC) permissions, Intune administrators can view information of device local account and password.
- View reports – Intune provides the details of manual and scheduled password rotation.
Prerequisites for using Intune policies for LAPS management:
Only the following platforms are supported to use LAPS using Microsoft Intune:
- Windows 10, version 22H2 (19045.2846 or later) with KB5025221
- Windows 10, version 21H2 (19044.2846 or later) with KB5025221
- Windows 10, version 20H2 (19042.2846 or later) with KB5025221
- Windows 11, version 22H2 (22621.1555 or later) with KB5025239
- Windows 11, version 21H2 (22000.1817 or later) with KB5025224
Can I use Windows LAPS with Free Trial?
Yes, with Free trial subscription, & Microsoft Intune Plan1, you can use Windows LAPS. Azure AD free is also included Intune subscription and all features of Windows LAPS can be used.
RBAC permission to manage LAPS
The account should have sufficient permission for security baselines to create and access LAPS policy.
Endpoint Security Manager built in role has the permission by default.
To rotate the local administrator password, the account must have read access to devices, organisations, and Rotate Local Admin Password for remote tasks.
What Azure AD permissions are required to retrieve local admin password?
To retrieve the local administrator password, the account must have one of the below permissions in Azure Active Directory:
- directory/deviceLocalCredentials/password/read
- directory/deviceLocalCredentials/standard/read
Configure Windows LAPS policies using Microsoft Intune:
- Login to Microsoft Intune Admin Center and go to -> Endpoint Security -> Account protection and create policy and choose the below option.
Platform -> Windows 10 and later
Profile -> Local admin password solution (Windows LAPS)
- On the Basics page, specify the name of the profile and provide a description for the profile and click Next.
- On the Configuration Settings page, go to:
Backup Directory: Choose the type of backup directory to back the local admin account. If you select Backup the password to Active Directory, you will get the additional settings as mentioned above like Password History Size, Age Days, etc.
You can also choose to not back up the account and password. Once settings are configured, click Next.
- On the Scope tag page, specify the desired scope tag and click Next.
- On the Assignments page, select the groups you want to apply this policy. It’s recommended to apply the policy to device groups and if you apply it to user groups, the user uses different devices and this leads to inconsistent behaviour which the user device needs to back up.
- On the Review and Create page, review the settings, and click Create.
View local admin account details for devices:
- In Microsoft Intune Admin Center, go to -> Devices -> All Devices and select the device and select “Local admin password” under Monitor.
- Click Show Local Administrator Password and the following account details will be shown in the left pane:
Account name, Security ID, Local Admin password, Last password rotation, and Next password rotation.
- The local admin password can be viewed only if the account is backed up in Azure Active Directory.
Rotate local admin password:
- Select the device under all devices and right of the menu bar, you will find the option to “Rotate Local admin password” and select.
- It displays the confirmation message. Once confirmed to proceed further, Intune will initiate and complete the process in a few minutes.
Reports for LAPS Policy:
- Using the LAPS policy report, you can view the configuration and assignments of the policy. Sign to Intune admin Centre -> Endpoint Security, you will find the list of protection policies. Select the policy and click view report which will open the details report for each device.
Troubleshooting Windows LAPS:
- Go to Applications and Services logs -> Microsoft -> Windows -> LAPS -> Operational to verify windows LAPS events. Please find the below event IDs for Windows LAPS configured in Windows LAPS Active Directory and Azure Active Directory.
| Event ID | Scenario |
| 10006 | Windows LAPS Active Directory |
| 10011 | Windows LAPS Active Directory |
| 10012 | Windows LAPS Active Directory |
| 10013 | Windows LAPS Active Directory and Azure AD |
| 10017 | Windows LAPS Active Directory |
| 10019 | Windows LAPS Active Directory and Azure AD |
| 10025 | Windows LAPS Azure AD |
| 10026 | Windows LAPS Azure AD |
| 10027 | Windows LAPS Active Directory and Azure AD |
| 10028 | Windows LAPS Azure AD |
| 10032 | Windows LAPS Azure AD |
| 10034 | Windows LAPS Active Directory |
| 10035 | Windows LAPS Active Directory |
| 10048 | Windows LAPS Active Directory and Azure AD |
| 10049 | Windows LAPS Active Directory and Azure AD |
| 10056 | Windows LAPS Active Directory |
| 10057 | Windows LAPS Active Directory |
| 10059 | Windows LAPS Azure AD |
| 10065 | Windows LAPS Active Directory |
What’s the requirement for manual password rotation?
For Manual password rotation, the device must be online and if it’s not available, it will fail to rotate the password. We cannot rotate the password for all devices at once and need to perform one device at a time.
Wrapping it Up:
Using efficient techniques of LAPS management using Microsoft Intune’s endpoint security policies, you can enforce password requirements, rotate passwords on schedule, and backup accounts to Azure AD with robust encryption.
Windows Management Experts helps you seamlessly configure post-authentication actions and gain visibility into the device’s local account details. Our Intune services provide an error-free integration, ensuring a smooth transition to this advanced security solution. Ultimately, we help you enhance your organization’s protection against cyber threats and strengthen your security posture.
For more information and expert assistance, reach out to our sales team at sales@winmgmtexperts.com
