How to Deploy Microsoft Entra LAPS with Intune Step by Step

Microsoft Entra LAPS (Local Administrator Password Solution), or Windows LAPS, provides management of a single local administrator account on Microsoft Entra joined or local Active Directory joined devices. The password is protected in the directory, then access to the password can be delegated to specific users. 

The configuration and deployment of modern Microsoft Entra LAPS is simplified with Microsoft Intune, once enabled in your tenant, a single configuration profile can be used to configure Windows LAPS (which is built into the latest version of Windows operating systems). The password can then be accessed and rotated manually through the Microsoft Entra or Intune management portals.

In this tutorial, I am going to show you how to configure Microsoft Entra LAPS from the Microsoft Intune management portal.

About LAPS with Intune

The Microsoft Entra LAPS scenario is backed by the new Windows LAPS capabilities built directly into the Windows operating system. This means it can be quickly and easily deployed without additional client software being installed. 

The downside to this comes in the form of the requirements. Windows LAPS is only supported in the latest operating systems, meaning if you are not current and consistent with Windows feature updates (which are a pain to some), you may be left with some devices that are not secured. Although, of course, having all devices up to date is a good thing. Therefore, the requirements must be carefully considered to reap the security benefits that Microsoft Entra LAPS with Intune can bring. Fundamentally it is all or nothing, if you leave a hole the hacker will find it.

The deployment of Microsoft Entra ID LAPS is simplified using Microsoft Intune; however, for those with limited management capabilities, it can also be deployed via group policies, manually through registry keys or using Windows CSP settings in Intune. Should multiple deployment methods apply to a single machine, the Windows CSP/Intune settings will always take precedence. Intune will always be the recommended choice, it is simple, the reporting features are good and it does not require line of sight to a domain controller.


Microsoft Entra LAPS utilises the Windows LAPS component built into the Windows operating system, available on the following versions of Windows. You can use the links below to manually download the necessary update files from the Microsoft Update Catalogue.

Thankfully, LAPS comes free with any free version of Microsoft Entra ID, so if you have any Microsoft 365 license in your tenant, you will be supported in saving the LAPS password in Microsoft Entra ID. However, as you can expect, for management through Intune, you will need, at minimum, a Microsoft Intune Plan 1 license, the basic Intune subscription. It is also supported during a trial subscription.

Enable Microsoft Entra LAPS

To support the implementation of Microsoft Entra LAPS, you must first enable Windows LAPS for Microsoft Entra in the Microsoft Entra management portal. To do this, simply follow the below steps:

1. Login to Microsoft Entra.

2. Expand Identity, then Devices > All Devices.

Select All Devices in Microsoft Entra
Select All Devices in Microsoft Entra

3. Select Device Settings.

Select Devices Settings
Select Devices Settings

4. Set Enable Microsoft Entra Local Administrator Password Solution (LAPS) to Yes, then click Save and the top.

When this is complete, you will be ready to enable Microsoft Entra LAPS on your devices. Also, behind the scenes, this will set the IsEnabled field for the localadminpassword setting to True in Microsoft Graph.

You should also know that when you enable Microsoft Entra LAPS here, it will become available to store LAPS passwords for all devices. If you want to configure LAPS for all devices or just specific devices, that will be done with configuration pplicies in the next step.

Enable Microsoft Entra LAPS
Enable Microsoft Entra LAPS

Create a LAPS configuration policy

Now LAPS is enabled for your tenant, you are now ready to create a configuration policy which will contain all the settings for Microsoft Entra LAPS to apply to your devices.

1. Login to Intune

2. Select Endpoint Security.

Select Endpoint Security
Select Endpoint Security

3. Then select Account Protection.

Select Account Protection
Select Account Protection

4. Click Create Policy to create a new Endpoint Protection Policy for Windows LAPS.

Select Create Policy
Select Create Policy

5. In the pop-out window, select Windows LAPS from the drop-down list and click Create.

Select Windows LAPS and click Create
Select Windows LAPS and click Create

6. Choose a meaningful policy name and click Next.

Azure AD LAPS policy name
Azure AD LAPS policy name

7. Define your Windows LAPS configuration settings. Use my settings as recommended:

Define the Azure AD LAPS Settings
Define the Azure AD LAPS Settings

Some settings above have been left as default, the values will default as below:

  • Administrator Account Name: The default admin SID (which is consistent across all devices) will be used, regardless if the account has been renamed.
  • Password Complexity: Large letters + small letters + numbers + special characters
  • Password Length: 14 characters
  • Post Authentication Actions: Reset the password and logoff the managed account
  • Post Authentication Reset Delay: 24 hours.

When you are done, click Next.

8. Define any scope tags in the Scope tags section and click Next.

9. Click Add all devices to apply this policy to all supported devices enrolled in Intune. You can also define any device filters here to exclude specific devices from the Microsoft Entra LAPS policy. Then click Next.

Click Add all devices
Click Add all devices

10. Finally review your settings and click Create.

Check if Microsoft Entra LAPS is successful

When deploying Microsoft Entra LAPS there is no need to reboot your devices, unlike the previous version of LAPS where a reboot would be required to deploy the MSI via GPO. This means the next time the policy applies to your device, then LAPS will be configured.

You can verify whether the policy has deployed as expected from the policy report window:

From the Intune portal: Endpoint security > Account protection >  *Your LAPS policy* > View Report.

Azure AD LAPS deployment success
Azure AD LAPS deployment success

Windows Event Logs

You will see Event ID 10022 for LAPS once it has been deployed successfully on the client, located at:

Application and Services Logs > Microsoft > Windows > LAPS

The log will contain information on the configuration of LAPS, this can help you determine the correct policy is applied if you have different configurations for different groups of devices.,

The current LAPS policy is configured as follows:

Policy source: CSP
Backup directory: Azure Active Directory
Local administrator account name:
Password age in days: 7
Password complexity: 4
Password length: 14
Post authentication grace period (hours): 24
Post authentication actions: 0x3

See for more information.

View and rotate Microsoft Entra LAPS password

Viewing and rotating the LAPS password for a device can be done quickly and easily through the Microsoft Entra portal or the Intune portal. 

Microsoft Entra Portal

To view the LAPS password from the Microsoft Entra Portal, follow these steps:

Devices > Local administrator password recovery > Select your Device > Show local Administrator password.

Intune Portal

To view the LAPS password from the Intune Portal, follow these steps:

Devices > All devices > Select your device > Local Admin password > Show local admin password.

To rotate the password before the set expiration period, select the device from within Intune, click on the 3 dots at the top right then click Rotate local admin password.

Rotate local admin password
Rotate local admin password

LAPS will also block external attempts to change the password, including when you use the ‘reset password’ function in Azure for virtual machines. The following log will appear in the Windows event log:

Event ID: 10031

LAPS blocked an external request that tried to modify the password of the current managed account.

Account name: %accountname%
Account RID: 0x1F4

See for more information.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply