Microsoft Entra LAPS (Local Administrator Password Solution), or Windows LAPS, provides management of a single local administrator account on Microsoft Entra joined or local Active Directory joined devices. The password is protected in the directory, then access to the password can be delegated to specific users.
The configuration and deployment of modern Microsoft Entra LAPS is simplified with Microsoft Intune, once enabled in your tenant, a single configuration profile can be used to configure Windows LAPS (which is built into the latest version of Windows operating systems). The password can then be accessed and rotated manually through the Microsoft Entra or Intune management portals.
In this tutorial, I am going to show you how to configure Microsoft Entra LAPS from the Microsoft Intune management portal.
About LAPS with Intune
The Microsoft Entra LAPS scenario is backed by the new Windows LAPS capabilities built directly into the Windows operating system. This means it can be quickly and easily deployed without additional client software being installed.
The downside to this comes in the form of the requirements. Windows LAPS is only supported in the latest operating systems, meaning if you are not current and consistent with Windows feature updates (which are a pain to some), you may be left with some devices that are not secured. Although, of course, having all devices up to date is a good thing. Therefore, the requirements must be carefully considered to reap the security benefits that Microsoft Entra LAPS with Intune can bring. Fundamentally it is all or nothing, if you leave a hole the hacker will find it.
The deployment of Microsoft Entra ID LAPS is simplified using Microsoft Intune; however, for those with limited management capabilities, it can also be deployed via group policies, manually through registry keys or using Windows CSP settings in Intune. Should multiple deployment methods apply to a single machine, the Windows CSP/Intune settings will always take precedence. Intune will always be the recommended choice, it is simple, the reporting features are good and it does not require line of sight to a domain controller.
Requirements
Microsoft Entra LAPS utilises the Windows LAPS component built into the Windows operating system, available on the following versions of Windows. You can use the links below to manually download the necessary update files from the Microsoft Update Catalogue.
- Windows 11 22H2 – April 11 2023 Update -> Download KB5025239
- Windows 11 21H2 – April 11 2023 Update -> Download KB5025224
- Windows 10 – April 11 2023 Update -> Download KB5025221
- Windows Server 2022 – April 11 2023 Update -> Download KB5025230
- Windows Server 2019 – April 11 2023 Update -> Download KB5025229
Thankfully, LAPS comes free with any free version of Microsoft Entra ID, so if you have any Microsoft 365 license in your tenant, you will be supported in saving the LAPS password in Microsoft Entra ID. However, as you can expect, for management through Intune, you will need, at minimum, a Microsoft Intune Plan 1 license, the basic Intune subscription. It is also supported during a trial subscription.
Enable Microsoft Entra LAPS
To support the implementation of Microsoft Entra LAPS, you must first enable Windows LAPS for Microsoft Entra in the Microsoft Entra management portal. To do this, simply follow the below steps:
1. Login to Microsoft Entra.
2. Expand Identity, then Devices > All Devices.
3. Select Device Settings.
4. Set Enable Microsoft Entra Local Administrator Password Solution (LAPS) to Yes, then click Save and the top.
When this is complete, you will be ready to enable Microsoft Entra LAPS on your devices. Also, behind the scenes, this will set the IsEnabled field for the localadminpassword setting to True in Microsoft Graph.
You should also know that when you enable Microsoft Entra LAPS here, it will become available to store LAPS passwords for all devices. If you want to configure LAPS for all devices or just specific devices, that will be done with configuration pplicies in the next step.
Create a LAPS configuration policy
Now LAPS is enabled for your tenant, you are now ready to create a configuration policy which will contain all the settings for Microsoft Entra LAPS to apply to your devices.
2. Select Endpoint Security.
3. Then select Account Protection.
4. Click Create Policy to create a new Endpoint Protection Policy for Windows LAPS.
5. In the pop-out window, select Windows LAPS from the drop-down list and click Create.
6. Choose a meaningful policy name and click Next.
7. Define your Windows LAPS configuration settings. Use my settings as recommended:
Some settings above have been left as default, the values will default as below:
- Administrator Account Name: The default admin SID (which is consistent across all devices) will be used, regardless if the account has been renamed.
- Password Complexity: Large letters + small letters + numbers + special characters
- Password Length: 14 characters
- Post Authentication Actions: Reset the password and logoff the managed account
Post Authentication Reset Delay: 24 hours.
8. Define any scope tags in the Scope tags section and click Next.
9. Click Add all devices to apply this policy to all supported devices enrolled in Intune. You can also define any device filters here to exclude specific devices from the Microsoft Entra LAPS policy. Then click Next.
10. Finally review your settings and click Create.
Check if Microsoft Entra LAPS is successful
When deploying Microsoft Entra LAPS there is no need to reboot your devices, unlike the previous version of LAPS where a reboot would be required to deploy the MSI via GPO. This means the next time the policy applies to your device, then LAPS will be configured.
You can verify whether the policy has deployed as expected from the policy report window:
From the Intune portal: Endpoint security > Account protection > *Your LAPS policy* > View Report.
Windows Event Logs
You will see Event ID 10022 for LAPS once it has been deployed successfully on the client, located at:
Application and Services Logs > Microsoft > Windows > LAPS
The log will contain information on the configuration of LAPS, this can help you determine the correct policy is applied if you have different configurations for different groups of devices.,
The current LAPS policy is configured as follows:
Policy source: CSP
Backup directory: Azure Active Directory
Local administrator account name:
Password age in days: 7
Password complexity: 4
Password length: 14
Post authentication grace period (hours): 24
Post authentication actions: 0x3
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.
View and rotate Microsoft Entra LAPS password
Viewing and rotating the LAPS password for a device can be done quickly and easily through the Microsoft Entra portal or the Intune portal.
Microsoft Entra Portal
To view the LAPS password from the Microsoft Entra Portal, follow these steps:
Devices > Local administrator password recovery > Select your Device > Show local Administrator password.
Intune Portal
To view the LAPS password from the Intune Portal, follow these steps:
Devices > All devices > Select your device > Local Admin password > Show local admin password.
To rotate the password before the set expiration period, select the device from within Intune, click on the 3 dots at the top right then click Rotate local admin password.
LAPS will also block external attempts to change the password, including when you use the ‘reset password’ function in Azure for virtual machines. The following log will appear in the Windows event log:
Event ID: 10031
LAPS blocked an external request that tried to modify the password of the current managed account.
Account name: %accountname%
Account RID: 0x1F4
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.