Microsoft recently released Windows LAPS to the public for a preview. Local Administrator Password Solution is a security solution to randomize and rotate local administrator(s) passwords. This solution was widely used in the Enterprise to prevent lateral movement throughout the environment due to administrator accounts typically having the same password on all devices. LAPS was previously an additional install and AD schema extension. Microsoft has decided to build this security feature into recent releases Windows 10 and 11. The following guide you to setting up a LAPS policy in Microsoft Intune.
1. Navigate to Azure Active Directory in Entra. Under Devices, open All Devices and click Device settings. Set “Enable Azure AD Local Administrator Password Solution (LAPS) (Preview)” to Yes.
2. Navigate to Endpoint Security in Intune. Select Account Protection under Manage. Create a new policy for Windows 10 and later platform and Local admin password solution (Windows LAPS) profile. Do the usual; name and description.
3. Configure your LAPS settings to align with your organization’s strategy.
Tips:
Legacy LAPS and Windows LAPS do not play well together, so chose which one your organization will use. Microsoft recommends migrating Windows LAPS using the emulation mode.
Backup Directory must be compatible with join type obviously; Azure AD Join devices can’t write to an on-prem Active Directory.
Setting the Backup Directory to Disabled will assign a password that you won’t know. Some will use this option until the need arises in which they add the device to a different policy that will assign a password thats backed up. Those feel this is more secure.
LAPS does not create the administrator account yet. This account must be created on the device before the policy is applied. For this reason, some are opting to use the **built-in Administrator account which has been viewed as bad practice for some time (this account was usually assigned a random password and disabled in Windows).
Post Authentication Actions instructs what should happens after a password is used. How secure do you want to be? (1) Reset password, (3) Reset password and terminate any of that accounts sessions, (5) Reset password and reboot the device.
Post Authentication Reset Delay is how long after the LAPS password is used will the Post Authentication Actions run.
4. After your settings are configured, you are ready to select you device groups you wish the LAPS policy to apply to. Targeting devices are recommended though the capability to target users is available. If you target users you may potentially have LAPS passwords rotating frequently.
** If using the built-in Administrator account, you will need to enable it. Create a configuration profile that contains the Setting “Accounts Enable Administrator Account status” which is found under Local Policies Security Options. Set this to Enabled and deploy it to your target devices/groups.