Recommended Settings for Windows LAPS with Intune

Windows LAPS is an essential solution for any organisation that uses Microsoft Intune to manage its local admin account password on their end-user devices. Over the last few months, I have written various posts on configuring Intune LAPS, automating the process with PowerShell, and detailing new features such as automatic account creation with LAPS.

This article will show you the recommended settings for effectively and securely deploying Windows LAPS from Intune.

Recommended LAPS settings

Below is a list of recommended Windows LAPS settings from Intune, configured in the order in which they are enabled in the Intune admin portal.

While some of these recommendations match those in the latest CIS Intune benchmark for Windows 11, some are stronger than the CID recommendation and are my own recommendations.

Ensure the backup directory is set to Microsoft Entra ID (AzureAD) Only

Suppose you operate a hybrid identity environment where user accounts are synchronised to Microsoft Entra ID from the on-premises active directory. In that case, you should consider storing your LAPS passwords only in Entra ID. This will enable you to leverage simplified access technologies and modern security controls such as Conditional Access. This will be your only option if your devices are joined to Microsoft Entra ID.

Ensure 'Password Age Days' is set to 'Configured: 7 or fewer'

The CIS benchmark for this setting is to leave the default configuration as it is (30 days). I recommended reducing this length to 7 days. The expectation is not that the password will be guessed or cracked. Still, if a user is self-servicing their own LAPS password from the Entra portal or a custom workflow, they cannot use the copy & paste function to enter the password into the UAC password area. Instead, they will likely be forced to write down their password or take a picture from their smartphone. Reducing the password age to 7 days or fewer will help mitigate this risk. 

Ensure 'Password Complexity' is set to 'Large letters + small letters + numbers + special characters (improved readability)'

By default, the password complexity setting is set to 4, which is ‘Large letters + small letters + numbers + special characters‘. However, a new setting, ‘Large letters + small letters + numbers + special characters (improved readability)‘, is generally available in Windows. This setting improves the readability of generated passwords and helps to reduce confusion and wasted time.

By setting the password complexity of your Windows LAPS deployment to setting 5, the following character will not be used to generate the password:

  • These letters: ‘I’, ‘O’, ‘Q’, ‘l’, ‘o’
  • These numbers: ‘0’, ‘1’
  • These ‘special’ characters: ‘,’, ‘.’, ‘&’, ‘{‘, ‘}’, ‘[‘, ‘]’, ‘(‘, ‘)’, ‘;’

Ensure 'Password Length' is set to 'Configured: 15 or more'

While Microsoft has some guidance on Microsoft Learn around the recommended password length for a password policy, this is not enough for our recommendation. You should configure a password length of 15 characters or more. Each additional character will exponentially increase the complexity of your password and the total number of combinations available. Theoretically, it will make the password ever so hard to crack using traditional methods. 

Ensure 'Post-authentication actions' is set to 'Reset the password and logoff the managed account' or higher

Upon expiry of the password grace period (the period after which the password is used), an action will be performed as defined in this setting. While a good policy and admin training is critical when using Windows LAPS, if the admin session is still active after the grace period expires, you should configure Windows to reset the password and force log-off on the managed account. 

Higher settings would include forcing the computer to reboot, which may be necessary in some scenarios. However, generally speaking, you want to avoid the risk of data loss for other users signed into the desktop. Forcing a log-off on the managed account will meet most security requirements.

Ensure 'Post-authentication Reset Delay' is set to 'Configured: 8 or fewer hours, but not 0'

When a password is used, the system will wait a specific amount of time before triggering the configure post-authentication action. This time is called the Post-authentication reset delay. Again, as mentioned above, good administrator policy and training will ensure the admin logs the managed account off correctly and on time. However, in extenuating circumstances such as a fire alarm or medical emergency, it would be appropriate to immediately leave your desktop as it is. This is where this setting will shine. Configuring this setting to 8 hours will ensure that if the device is left alone for long periods, it will be logged off forcefully and not left active for potential abuse.

Bonus LAPS recommendation

Additional recommendations include automatic account creation. Traditionally, you would need to weigh whether to use the built-in administrator account or create a custom account first (using methods such as CSP or script). Both methods have benefits and drawbacks, which has been a long-standing argument between admins. 

One new policy setting that stands out above all existing settings is the Automatic account creation feature in Windows LAPS, which can Randomise the account name for all devices. This ensures that the default local admin SID is not used for any account and that all devices have a different username, reducing lateral movement in case of a compromise.

I recommend that, where possible, you enable this feature, as it will:

  • Automatically create the LAPS user account for you.
  • Provide a unique and random username for every device.

For more detail on this feature, read my article How to Enable Automatic Account Creation for LAPS in Intune.

Summary

Any time is a good time to review your existing LAPS deployment and tighten up some settings that do not meet these recommendations. By adhering to these standards, not only are you securing local admin accounts in your environment in the best way possible, but you are also adhering to standards often used in highly sensitive organisations, which will ultimately help you diversify your customer base as an organisation.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has One Comment

  1. Steven L

    Humorously, the Bonus LAPS recommendation will result in a local account being created with the name of ‘leethaxor’, some folks will have a bad day, and all will have a good laugh later.

Leave a Reply