We are excited to welcome Microsoft MVPs Niall Brady and Paul Winstanley back as guest authors. Their blog post dives into Windows Local Administrator Password Solution (LAPS), highlighting how it can boost your endpoint security by managing local administrator accounts through Microsoft Entra ID and Intune. Read more to learn practical steps to protect your organization from risks tied to privileged accounts and stay tuned for additional blogs in our Expert Insights series.
What is Windows LAPS
LAPS stands for Local Administrator Password Solution, and that’s exactly what it is, a password solution for securing local administrator accounts on Windows computers via Active Directory, hybrid and cloud native scenarios. There is also a version of Microsoft LAPS for legacy devices (Active Directory), but that version is deprecated as of Windows 11 versions 23H2 and later. Microsoft released the legacy Microsoft LAPS product in May 1st, 2015. Windows LAPS with Microsoft Entra ID and Microsoft Intune support became Generally Available (GA) October 23rd, 2023. We will only focus on the Cloud native version of Windows LAPS in this blog post.
Enhancing Control and Security Over Local Admin Accounts
The default local Administrator account is a user account for system administration, every Windows computer has an Administrator account and it is the first account that is created during the installation. Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group.
By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device. The default Administrator account can't be deleted or locked out, but it can be renamed or disabled. Being able to control access to this privileged account is important for security to protect against Pass-the-Hash (PtH) and lateral traversal attacks. Using this solution gives you additional capabilities such as:
- Tenant wide policy to back up local administrator passwords to Entra ID
- Conditional Access to control those that have authorization to retrieve passwords.
- Client-side policies to set the local administrator account name, password age, password length, it’s complexity and so on.
- Ability to recover the local administrator password via API or your MDM portal (eg: Intune).
- Role Based Access Control over who can access the passwords.
- Auditing of password recovery and update (rotation).
- LAPS is great for onsite support staff or remote help desks that need to use a local administrator account to do support tasks.
- LAPS stores the last 3 passwords in case you need to restore a virtual machine (for example) and passwords have rotated since that point.
Requirements
Windows 10/Windows 11, Windows Server 2019/2022 with April 2023 update. You also need an Intune license to manage devices and Global Admin, Cloud Admin or Intune Admin role or a custom role with deviceLocalCredentials.Read.All permissions.
Configuring Windows LAPS
Some of the steps below may not be needed in your tenant, but I’m including them so that you can double check if necessary.
Enable LAPS in Your Tenant
Before using LAPS in your tenant, you’ll need to enable it at a tenant wide level. To enable Windows LAPS setting in Entra ID:
- Browse to https://portal.azure.com
- Select Microsoft Entra ID
- Expand Manage in the left navigation
- Click on Devices
- Expand Manage drop down
- Select Device settings
- Scroll down to Enable Microsoft Entra Local Administrator Password Solution (LAPS) and set it to Yes
- Finally, click on Save.
Enable the Built In Administrator Account
The built in Administrator account is disabled automatically during Windows setup.
To apply our LAPS password policies, we’ll need it enabled.
In Microsoft Intune (https://intune.microsoft.com):
- Select Devices in the left navigation
- Select Windows
- Choose Configuration
- Click Create
- Select New Policy
- Select Windows 10 and later as the Platform
- Select Settings catalog as the Profile type
- Click Create
- Give the new profile a suitable name such as LAPS – Enable Local Admin
- Click Next
- On the Configuration settings tab, select Add settings
- Search for Local Policies Security Options and select it once found
- From the options revealed, place a check mark in Accounts Enable Administrator Account Status
- On the left side of the screen, click button to Enable
- Click Next
- On the Scope tags tab, click Next
- Assign the policy to your target devices
- Complete the wizard by clicking on Create
Configure Endpoint Security Account Protection
To backup the password to Entra ID you’ll need to configure an Endpoint Security Account Protection policy.
In Intune:
- Select Endpoint Security from the left navigation
- Click on Account Protection
- Click on Create Policy
- For Platform select Windows
- For Profile select Local admin password solution (Windows LAPS)
- Click Create
- Give it a name such as LAPS – backup password to Entra ID
- Click Next
- For Configuration settings, for the Backup Directory option, select Backup the password to Azure AD only (Note: This will most likely be renamed to Entra ID shortly)
- Configure the remaining settings according to your enterprise security requirements. The grace period mentioned below refers to what action to take on the device once the password has been revealed in Entra ID and how long to wait before taking that action (Post Authentication Reset Delay)
- Click Next
- On the Scope tags tab, click Next
- At the Assignments screen, add your LAPS computers Entra ID group
- Click Save to complete the wizard
Verification
After the above steps are completed, you can verify that it’s working as expected by adding one or more computers to the target Entra ID groups. Once done, let it sync policy and after a while you should see the Administrator account is now enabled.
In Windows Event Viewer, a new LAPS section will appear and in there you can see your policy settings are applied.
After a while, the password will be backed up to Entra ID.
In Microsoft Intune, you can now find that device, and under Monitor, select the Local admin password node, and click on Show Local Administrator Password.
This reveals a new pane with which you can either copy the password by clicking the icon or click on Show to see it.
Clicking on Show reveals the complex password based on the rules we set in the policy.
As we’ve now revealed this password, it will be rotated as per the policy at the next password rotation. If you need to change that password quickly, you can of course click on the actions ellipses and select the option available in Intune.
Take note of the message and after some time,
it should complete.
Troubleshooting
When you apply the policies above, things may not go according to plan, and the following can help you troubleshoot. In Intune, verify that the device has the required policies applied and that they have a State of Succeeded.
If those policies look good and it’s still not working, then verify that there are no errors in the LAPS event viewer logs. Below are some sample errors.
Administrator account was disabled.
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.
Failure to configure policy to backup the password to Entra ID.
The current policy is configured to backup the password to Active Directory, but the machine is only joined to Azure Active Directory. Please configure the policy to backup the password to Azure Active Directory. No action will be taken until this is corrected.
LAPS with PowerShell
Troubleshooting using PowerShell is also possible. See the following link for details of the Windows LAPS cmdlets and descriptions of what they do. There is even a cmdlet to get LAPS diagnostics, shown below called Get-LapsDiagnostics. This generates a ZIP file with LAPS events, registry keys and more.
Before retrieving passwords with the cmdlet, connect to MgGraph using the following scope.
Connect-MgGraph -Scopes DeviceLocalCredential.Read.All
To query the LAPS password for an Entra ID device, provide its device id (dsregcmd /status will reveal it, or you can get it from Intune/Entra ID) and review the output by using the following cmdlet:
Get-LapsAADPassword -DeviceIds $deviceID -IncludePasswords -AsPlainText
Taking a Proactive Approach with LAPS
Proactive endpoint management is essential for safeguarding organizational assets. Windows LAPS provides organizations with the power to carry out administrative tasks on local devices using a tenant wide, policy controlled, local Administrator user with complex passwords saved securely in the Cloud (or also to on-premises in hybrid environments). Windows LAPS not only strengthens the security of local administrator accounts but also empowers IT teams with the tools they need to enforce policies, manage privileged access, and protect against common attack vectors. By implementing LAPS, organizations can enhance their overall security posture and ensure that they are prepared to tackle the challenges of modern IT management and cybersecurity. Don’t wait for an incident to occur—take action now to secure your endpoints and stay ahead of potential threats.
Thank you to Niall and Paul for sharing their insights. For more on a proactive approach to endpoint management and patching, check out our latest eBook, “From Reactive to Proactive: 5 Best Practices for Autonomous Vulnerability Patching”
