Windows LAPS Management using Microsoft Intune

Windows LAPS Management using Intune

A local Administrator account is built-in with every Windows machine. This account has full access to the machine, and we cannot delete it. The local admin account is protected with an account password and many organizations manage local admin account passwords using Windows LAPS Management on-premises.

The solution to managing this password in the cloud was not available. Recently, Microsoft came up with a solution to manage local admin account passwords in Microsoft Intune.

Manage LAPS via Microsoft Intune endpoint security policies for account protection

You can use Microsoft Intune endpoint security policies for account protection to manage LAPS on Intune-enrolled devices. Using these policies, you can enforce password requirements for local admin accounts, backup local admin accounts from devices to Azure AD, and rotate the password for local admin accounts on a scheduled basis.

Microsoft Intune supports the below capabilities:

  • Set password requirements – You can define password requirements (complexity, length) for the local administrator account.
  • Rotate passwords – You can rotate the local admin account passwords on a schedule and, manually rotate the password for a device using device action in Intune portal.
  • Backup accounts and passwords – You can back up the account and password in either Azure Active Directory (Azure AD), or your on-premises AD and Passwords are stored using strong encryption.
  • Configure post authenticating actions – You can define actions when local admin account password expires. Resetting the new secure password, logging off the account or doing both actions and then powering down the device.
  • View account details – Using role based administrative control (RBAC) permissions, Intune administrators can view information of device local account and password.
  • View reports – Intune provides the details of manual and scheduled password rotation.

Prerequisites for using Intune policies for LAPS management:


Only the following platforms are supported to use LAPS using Microsoft Intune:

  • Windows 10, version 22H2 (19045.2846 or later) with KB5025221
  • Windows 10, version 21H2 (19044.2846 or later) with KB5025221
  • Windows 10, version 20H2 (19042.2846 or later) with KB5025221
  • Windows 11, version 22H2 (22621.1555 or later) with KB5025239
  • Windows 11, version 21H2 (22000.1817 or later) with KB5025224

Can I use Windows LAPS with Free Trial?

Yes, with Free trial subscription, & Microsoft Intune Plan1, you can use Windows LAPS. Azure AD free is also included Intune subscription and all features of Windows LAPS can be used.

RBAC permission to manage LAPS

The account should have sufficient permission for security baselines to create and access LAPS policy.

Endpoint Security Manager
built in role has the permission by default.

To rotate the local administrator password, the account must have read access to devices, organisations, and Rotate Local Admin Password for remote tasks.

What Azure AD permissions are required to retrieve local admin password?

To retrieve the local administrator password, the account must have one of the below permissions in Azure Active Directory:

  • directory/deviceLocalCredentials/password/read
  • directory/deviceLocalCredentials/standard/read

Configure Windows LAPS policies using Microsoft Intune:

  • Login to Microsoft Intune Admin Center and go to -> Endpoint Security -> Account protection and create policy and choose the below option.

Platform -> Windows 10 and later

Profile -> Local admin password solution (Windows LAPS)

  • On the Basics page, specify the name of the profile and provide a description for the profile and click Next.
  • On the Configuration Settings page, go to:

Backup Directory: Choose the type of backup directory to back the local admin account. If you select Backup the password to Active Directory, you will get the additional settings as mentioned above like Password History Size, Age Days, etc.

You can also choose to not back up the account and password. Once settings are configured, click Next.

  • On the Scope tag page, specify the desired scope tag and click Next.
  • On the Assignments page, select the groups you want to apply this policy. It’s recommended to apply the policy to device groups and if you apply it to user groups, the user uses different devices and this leads to inconsistent behaviour which the user device needs to back up.
  • On the Review and Create page, review the settings, and click Create.

View local admin account details for devices:

  • In Microsoft Intune Admin Center, go to -> Devices -> All Devices and select the device and select “Local admin password” under Monitor.
  • Click Show Local Administrator Password and the following account details will be shown in the left pane:

Account name, Security ID, Local Admin password, Last password rotation, and Next password rotation.

  • The local admin password can be viewed only if the account is backed up in Azure Active Directory.

Rotate local admin password:

  • Select the device under all devices and right of the menu bar, you will find the option to “Rotate Local admin password” and select.
  • It displays the confirmation message. Once confirmed to proceed further, Intune will initiate and complete the process in a few minutes.

Reports for LAPS Policy:

  • Using the LAPS policy report, you can view the configuration and assignments of the policy. Sign to Intune admin Centre -> Endpoint Security, you will find the list of protection policies. Select the policy and click view report which will open the details report for each device.

Troubleshooting Windows LAPS:

  • Go to Applications and Services logs -> Microsoft -> Windows -> LAPS -> Operational to verify windows LAPS events. Please find the below event IDs for Windows LAPS configured in Windows LAPS Active Directory and Azure Active Directory.
Event IDScenario
10006Windows LAPS Active Directory
10011Windows LAPS Active Directory
10012Windows LAPS Active Directory
10013Windows LAPS Active Directory and Azure AD
10017Windows LAPS Active Directory
10019Windows LAPS Active Directory and Azure AD
10025Windows LAPS Azure AD
10026Windows LAPS Azure AD
10027Windows LAPS Active Directory and Azure AD
10028Windows LAPS Azure AD
10032Windows LAPS Azure AD
10034Windows LAPS Active Directory
10035Windows LAPS Active Directory
10048Windows LAPS Active Directory and Azure AD
10049Windows LAPS Active Directory and Azure AD
10056Windows LAPS Active Directory
10057Windows LAPS Active Directory
10059Windows LAPS Azure AD
10065Windows LAPS Active Directory

What’s the requirement for manual password rotation?

For Manual password rotation, the device must be online and if it’s not available, it will fail to rotate the password. We cannot rotate the password for all devices at once and need to perform one device at a time.

Wrapping it Up:

Using efficient techniques of LAPS management using Microsoft Intune’s endpoint security policies, you can enforce password requirements, rotate passwords on schedule, and backup accounts to Azure AD with robust encryption.

Windows Management Experts helps you seamlessly configure post-authentication actions and gain visibility into the device’s local account details. Our Intune services provide an error-free integration, ensuring a smooth transition to this advanced security solution. Ultimately, we help you enhance your organization’s protection against cyber threats and strengthen your security posture.

For more information and expert assistance, reach out to our sales team at



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 014
Cyber Security

WME Security Briefing 14 June 2024

LightSpy Spyware’s macOS Variant Detected with Advanced Surveillance Capabilities Overview Findings reveal a previously undocumented macOS variant of the LightSpy spyware. It was initially thought to target only iOS users. This spyware utilizes a plugin-based system

Read More »
WME Cybersecurity Briefings No. 013
Cyber Security

WME Security Briefing 10 June 2024

CISA Urges Patching of Actively Exploited Linux Kernel Vulnerability Overview CISA just issued an urgent advisory concerning a newly discovered security flaw in the Linux kernel. The flaw is being actively exploited to affect the netfilter component of

Read More »
3 Things to Consider Before You Enable Copilot for Microsoft 365
Microsoft Copilot

3 Things to Consider Before You Enable Copilot for Microsoft 365

In today’s digital landscape, any productivity tool that streamlines workflow and boosts performance is a pleasant addition. With its AI-powered productivity-enhancing capabilities, Microsoft Copilot has emerged as a game-changer for employees, particularly for organizations using Microsoft

Read More »
WME Cybersecurity Briefings No. 012
Cyber Security

WME Security Briefing 03 June 2024

Moroccan Cybercrime Group Exploits Gift Card Systems for Major Financial Gains Overview: Storm-0539, also called Atlas Lion, is a Moroccan cybercrime group that executes advanced email and SMS phishing attacks. They are committing fraud by utilizing

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.