Scroll Top

Configuring Windows LAPS (Intune)

FI_Post_Intune
0
By Ben Azure Active Directory Intune 18/05/2023

In this post I will display how you can use Intune to configure Windows LAPS on your devices. I will be using an Account protection policy which can be found within the Endpoint security section of Intune. I tested this on a Dell Latitude 5520 laptop.

I will run through the following:

  1. Enabling Windows LAPS using Microsoft Entra admin center
  2. Configuring Windows LAPS using Intune
  3. Profile Monitoring
  4. Displaying the local admin password
  5. Rotating the local admin password
Enabling Windows LAPS using Microsoft Entra admin center

To enable Windows LAPS, open the Microsoft Entra admin center and navigate to Devices > All Devices > Device Settings. Here you can enable LAPS.

Once enabled, click Save.

Configuring Windows LAPS using Intune

Within your Intune admin center, navigate to Endpoint security > Account protection & click Create Policy.

In the Create a profile pane, select the following:

Platform: Windows 10 and later
Profile: Local admin password solution (Windows LAPS)

Click Create.

Enter a name for your new Profile.

On the Configuration settings screen configure the following settings:

  1. Backup Directory: Backup the password to Azure AD only
  2. Password age days: 30
  3. Administrator account name: Not configured (This will detect the local administrator account using a well known SID)
  4. Password complexity: Not configured (If not specified it will default to option 4).
  5. Password Length: Configured – Length 14
  6. Post authentication actions: Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
  7. Post Authentication Reset Delay: Configured – Hours 24

Please select settings appropriate for your environment, I have chosen the ones below for testing & display purposes.

Click Next on the Scope tags screen.

I chose to assign this to All Devices.
Click Next.

Review your settings.
Click Create.

Your new Account protection policy will then be created.

I then navigated to Devices > All Devices, selected my test VM & clicked the Sync button to force it to check in.

Outcome

Once the policy applies to your devices the setting will take effect.

Profile Monitoring

You can monitor the profile assignment status by selecting your newly configured policy and clicking the View Report button.

Displaying the local admin password

Once the profile has successfully applied to your devices, you will be able to view the local admin password in these locations:

  1. Microsoft Entra admin center (Devices > All Devices > Local administrator password recovery)
  2. Intune admin center (Devices > All Devices > Select Device > Local admin password)

Rotating the local admin password

You can rotate the local admin password using the Intune admin portal. Devices > All Devices > Select Device > Click ellipses > Rotate local admin password.

Thank you for reading.