top of page
Search
Writer's pictureGareth Oxendine
Oct 13, 20243 min read

Deploying Windows LAPS with Intune

Updated: Jan 4


Table of Contents


What is LAPS?

Microsoft's LAPS (Local Administrator Password Solution) is a simple program that provides great security benefits. If your company manages Windows machines, you may have a local admin account on all your machines. This account may be the Administrator account provided by Windows or another local account created by your IT department. Rather than use the same password for the admin account on all devices or keep a database of passwords, LAPS creates and stores the password for you!


LAPS was originally configured and deployed using Group Policy Manager and a GPO. Also, the LAPS software for clients had to be installed on each device. With the new Windows LAPs, however, you can use Intune to deploy LAPS and the client software comes preinstalled on the newer versions of Windows! According to Microsoft, "Intune policies manage LAPS by using the Windows LAPS configuration service provider (CSP)." To learn more about what CSPs are, click the link below:



Prerequisites

Before starting, ensure the following prerequisites are met:

  1. You have an Intune P1 or P2 license.

  2. Devices are up to date. Remember, LAPS is preinstalled if devices have the newer OS versions. See the list of versions below. Your devices must have one of these update versions or newer.

    1. Windows 11 22H2 - April 11 2023 Update

    2. Windows 11 21H2 - April 11 2023 Update

    3. Windows 10 - April 11 2023 Update

  3. Administrator accounts will need to have the necessary roles/permissions based on the LAPS function they'll be performing (note that the Entra ID Intune Administrator role includes all of the prerequisites below):

    1. To create the LAPS policy, you'll need one of the following:

      1. Endpoint Security Manager role (Intune > Tenant Administration > Roles)

      2. Custom Intune role that has all of the Security Baselines permissions checked. (Intune > Tenant Administration > Roles)

    2. To view and rotate passwords, an account needs the following Intune permissions. The account may already have these permissions from a built-in or custom Intune role assigned to it, but if not, you can create a custom Intune role. (Intune > Tenant Administration > Roles)

      1. Managed devices: Read

      2. Organization: Read

      3. Remote tasks: Rotate Local Admin Password

    3. To view passwords, you can alternatively create an Entra ID custom role with the following permission:

      1. microsoft.directory/deviceLocalCredentials/password/read


Deployment Steps



Step 1: Enable LAPS in Entra ID

Enabling Microsoft Entra LAPS or Local Administrator Password Solution in Entra ID.

  • Launch the Entra ID Portal.

  • Select Identity > Devices > All Devices > Device settings.

  • Select Yes under Enable Microsoft Entra Local Administrator Password Solution (LAPS).

  • Select Save.


Step 2: Create the Intune Endpoint Security LAPS Policy

Creating an Intune Endpoint Security Account Protection LAPS policy.

  • Launch the Intune Portal.

  • Select Endpoint Security.

  • Expand Manage and select Account Protection.

  • Select Create Policy.


Creating an Intune Endpoint Security Account Protection LAPS policy.

  • Platform: Windows

  • Profile: Local admin password solution (Windows LAPS)

  • Select Create.


Entering a name and description for our Intune Endpoint Security LAPS policy.

  • Enter a Name for the policy.

  • Optionally, enter a description for the policy.


Configuring our Intune Endpoint Security LAPS policy.

  • Backup Directory: Backup the password to Azure AD only

  • Password Age Days: choose how often the password rotates

  • Administrator Account Name: type the local administrator's account name that LAPS will be applied to

  • Password Complexity: choose which characters are allowed in the password

  • Password Length: choose how many characters are in the password

  • Post Authentication Action: choose what happens after the LAPS password is used to sign in; if set to not configured, the default action is to reset the password and logoff the managed account.

  • Post Authentication Reset Delay: choose how long Intune waits after a LAPS password is used before triggering the Post Authentication Action above. Entering a value of 0 will disable the Post Authentication Action.

  • Select Next.



  • Optionally select a scope tag(s).

  • Add the appropriate assignment.

  • Review + Create the policy.


Step 3: Check to See if it Worked

Showing or Viewing the LAPS password using the Intune portal.

  • Launch the Intune Portal.

  • Select Devices and search for and select a device targeted by the policy.

  • Expand Monitor and select Local admin password.

  • Select Show local administrator password and then select Show.



Step 4: Disable the Legacy LAPS GPO

If you currently are deploying LAPS with a GPO, then you can disable the GPO once the Intune LAPS policy successfully deploys to all machines. Also, if you are currently deploying the legacy LAPS client software, you can remove the deployment.


Step 5: Uninstall the Legacy LAPS Client Software

If your devices have the legacy LAPS client software installed, you can use Intune to deploy the script below to uninstall the legacy software. To learn more about how to deploy PowerShell scripts using Intune, click here.





Cover Picture provided by Freepik

228 views0 comments

Related Posts

See All

Comments

Recent Posts

Like this Article?

If this information was helpful, we want to know!

Leave a like by clicking the heart at the bottom of the page. 

Follow us on LinkedIn!

We'd like to invite you to follow us on LinkedIn! Click the icon to follow.

bottom of page