Simplifying Windows Local Administrator Password Solution (LAPS) Configuration with Intune. Part II

July 27, 2023

In Part I of our blog Simplifying Windows LAPS Configuration with Intune, we talked about the necessary pre-requisites, and went over the first part in our comprehensive approach to enhancing local administrator account management. 

Now, let’s embark on the second stage of our implementation journey - Enabling and Configuring Windows LAPS (Local Administrator Password Solution).

In this crucial step, we dive into the configuration settings and options, unleashing the power of Windows LAPS to enhance the security and management of local administrator passwords. By taking advantage of this robust solution, you'll fortify your organization's defenses and streamline password administration.

This Part 2 is further divided into 3 steps that need to be performed to Setup Windows LAPS in your Intune Environment:

  1. Enable Windows LAPS for your Tenant.
  2. Enable Password Management via Configuration Profile
  3. Setup Account Protection Policy for LAPS under Endpoint Protection.

 Enable LAPS for your Tenant

  • Sign-in to the Azure portal as a Cloud Device Administrator.
    • Browse to Azure Active Directory > Devices > Device settings.
    • Select Yes for the Enable Local Administrator Password Solution (LAPS) setting and select Save.

Enable Password Management via Configuration Profile

Go to Microsoft Intune admin center.
Navigate to Devices > Windows > Configuration Profiles.
Create on Create profile. Platform: Windows 10 or later. Profile type: Settings Catalog.

Policy Configuration Settings

Name: LAPS – Enable Password Management
Description: This policy enables password management for Windows LAPS. (Change it as per your requirement)

Configuration Settings

  • Select Add Settings
    Search and Enable: Enable Local Admin Password Management

Search and Enable: Accounts Enable Administrator Account Status (Optional)

Note | Only Enable the above Accounts Enable Administrator Account Status setting if you are using your default administrator account as local administrator.

  • Close this Settings Picker by clicking on X
    Toggle the required Settings based on your requirement to Enable:

  • Scope tags
  • Create tags based on your organization requirements (Optional)
    • Assignments
  • Assign the group to respective devices group to deploy this setting.
    • Review + create
    • Create
Create Account Protection Policy for LAPS

Make sure you are in Microsoft Intune admin center.
Navigate to Endpoint Security > Account Protection
Click on Create policy
Platform: Windows 10 or later
Profile: Local admin password solution (Windows LAPS) (preview)
Click on Create

Policy Configuration Settings


Name: LAPS Policy
Description: Enter a brief description
Platform: Windows 10 and later

Configuration Settings

Backup Directory: Backup the password to Azure AD only (select based on your requirement. You can only have one selected out of AD or AAD and cannot create both policies for backup directory).

Password Age Days: 7 (select anywhere between 1-365 [AD] or 7-365 [AAD]. Learn more)

Administrator Account Name: Configured

(Enter the name of the local admin account you created in PART 1 or use the one which you already have in your environment. If you want to use your default local admin account, then ignore this setting and let it to Not Configured Learn more).

Password Complexity: Large letters + small letters + number + special characters (Learn more)
Password Length: Configured
  • 14 (Characters, check with your security team, Learn more)
  • Post Authentication Actions: Reset the password and logoff the managed account (Select the settings based on your org requirements. Learn more).
  • Post Authentication Reset Delay: Configured

Verification of the implementation
Now that the configuration has been implemented, it's time to validate the effectiveness of our setup by verifying our ability to retrieve passwords from Intune. This step ensures that our implementation is functioning as intended and that we can successfully access the passwords associated with the local administrator accounts. Let's proceed with the verification process and ensure that all the pieces of our configuration puzzle are securely in place.

To fetch the password via Intune portal follow the below steps:

  1. Sign in to Microsoft Intune admin center
  2. Go to Devices > Select any device for which you want to see the password.
  3. Click on Local Admin Password on the left pane.

  1. Click on Show local administrator password
  2. Click on the Copy button or show to retrieve the password from right pane under Local administrator password.

Alternatively, you can also retrieve the password from Azure Portal by following below steps:

  1. Login to Azure Portal
  2. Open Azure Active Directory and select Devices
  3. Click on Local administrator password recovery (Preview) from the left pane to retrieve passwords.

We have now explored the step-by-step process of configuring Windows LAPS (Local Administrator Password Solution) with Intune. By completing the prerequisites, deploying local admin accounts, and enabling Windows LAPS, you have fortified security and streamlined password management across devices. With the ability to retrieve passwords from Intune and Azure AD, you now have full control over local administrator accounts.

We encourage you to share your experience or ask any questions you may have. Thank you for joining us on this implementation journey, and may your administrative practices be secure and efficient.

Contact Us

Tags: Microsoft sql server migration strategy end of life

Search By Tags

see all

Follow Us