Light Mode Dark Mode
September 30, 20247 min read

Expert Insights: Getting started with Windows LAPS

2405_087_Blog_Image_Expert_Insights_1920x1280_m3

We are excited to welcome Microsoft MVPs Niall Brady and Paul Winstanley  back as guest authors. Their blog post dives into Windows Local Administrator Password Solution (LAPS), highlighting how it can boost your endpoint security by managing local administrator accounts through Microsoft Entra ID and Intune. Read more to learn practical steps to protect your organization from risks tied to privileged accounts and stay tuned for additional blogs in our Expert Insights series. 

What is Windows LAPS  

LAPS stands for Local Administrator Password Solution, and that’s exactly what it is, a password solution for securing local administrator accounts on Windows computers via Active Directory, hybrid and cloud native scenarios. There is also a version of Microsoft LAPS for legacy devices (Active Directory), but that version is deprecated as of Windows 11 versions 23H2 and later. Microsoft released the legacy Microsoft LAPS product in May 1st, 2015. Windows LAPS with Microsoft Entra ID and Microsoft Intune support became Generally Available (GA) October 23rd, 2023. We will only focus on the Cloud native version of Windows LAPS in this blog post. 

Enhancing Control and Security Over Local Admin Accounts 

The default local Administrator account is a user account for system administration, every Windows computer has an Administrator account and it is the first account that is created during the installation. Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group.  

By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device. The default Administrator account can't be deleted or locked out, but it can be renamed or disabled. Being able to control access to this privileged account is important for security to protect against Pass-the-Hash (PtH) and lateral traversal attacks. Using this solution gives you additional capabilities such as: 

  • Tenant wide policy to back up local administrator passwords to Entra ID 
  • Conditional Access to control those that have authorization to retrieve passwords. 
  • Client-side policies to set the local administrator account name, password age, password length, it’s complexity and so on. 
  • Ability to recover the local administrator password via API or your MDM portal (eg: Intune). 
  • Role Based Access Control over who can access the passwords. 
  • Auditing of password recovery and update (rotation).  
  • LAPS is great for onsite support staff or remote help desks that need to use a local administrator account to do support tasks. 
  • LAPS stores the last 3 passwords in case you need to restore a virtual machine (for example) and passwords have rotated since that point. 

 

Requirements 

Windows 10/Windows 11, Windows Server 2019/2022 with April 2023 update. You also need an Intune license to manage devices and Global Admin, Cloud Admin or Intune Admin role or a custom role with deviceLocalCredentials.Read.Allpermissions. 

Configuring Windows LAPS 

Some of the steps below may not be needed in your tenant, but I’m including them so that you can double check if necessary. 

Enable LAPS in Your Tenant 

Before using LAPS in your tenant, you’ll need to enable it at a tenant wide level. To enable Windows LAPS setting in Entra ID: 

  • Browse to https://portal.azure.com 
  • Select Microsoft Entra ID 
  • Expand Manage in the left navigation 
  • Click on Devices 
  • Expand Manage drop down 
  • Select Device settings 
  • Scroll down to Enable Microsoft Entra Local Administrator Password Solution (LAPS) and set it to Yes 
  • Finally, click on Save. 

 

Enable the Built In Administrator Account 

The built in Administrator account is disabled automatically during Windows setup.

 

To apply our LAPS password policies, we’ll need it enabled.  

In Microsoft Intune (https://intune.microsoft.com): 

  • Select Devices in the left navigation 
  • Select Windows 
  • Choose Configuration 
  • Click Create
  • Select New Policy 
  • Select Windows 10 and later as the Platform 
  • Select Settings catalog as the Profile type 
  • Click Create 
  • Give the new profile a suitable name such as LAPS – Enable Local Admin 

  • Click Next 
  • On the Configuration settings tab, select Add settings 

A screenshot of a computer

Description automatically generated

  • Search for Local Policies Security Options and select it once found 
  • From the options revealed, place a check mark in Accounts Enable Administrator Account Status 
  • On the left side of the screen, click button to Enable 

A screenshot of a computer

Description automatically generated

  • Click Next 
  • On the Scope tags tab, click Next 
  • Assign the policy to your target devices 

A screenshot of a computer

Description automatically generated

  • Complete the wizard by clicking on Create 
 

Configure Endpoint Security Account Protection 

To backup the password to Entra ID you’ll need to configure an Endpoint Security Account Protection policy.  

In Intune: 

  • Select Endpoint Security from the left navigation 
  • Click on Account Protection 
  • Click on Create Policy 
  • For Platform select Windows 
  • For Profile select Local admin password solution (Windows LAPS)

     
  • Click Create 
  • Give it a name such as LAPS – backup password to Entra ID 
  • Click Next 
  • For Configuration settings, for the Backup Directory option, select Backup the password to Azure AD only (Note: This will most likely be renamed to Entra ID shortly) 

A screenshot of a computer

Description automatically generated

  • Configure the remaining settings according to your enterprise security requirements. The grace period mentioned below refers to what action to take on the device once the password has been revealed in Entra ID and how long to wait before taking that action (Post Authentication Reset Delay) 

A screenshot of a computer screen

Description automatically generated

  • Click Next 
  • On the Scope tags tab, click Next 
  • At the Assignments screen, add your LAPS computers Entra ID group

    A screenshot of a computer

Description automatically generated 
  • Click Save to complete the wizard 

 

Verification 

After the above steps are completed, you can verify that it’s working as expected by adding one or more computers to the target Entra ID groups. Once done, let it sync policy and after a while you should see the Administrator account is now enabled. 

A screenshot of a computer

Description automatically generated

In Windows Event Viewer, a new LAPS section will appear and in there you can see your policy settings are applied. 

A screenshot of a computer

Description automatically generated

After a while, the password will be backed up to Entra ID. 

A screenshot of a computer

Description automatically generated

In Microsoft Intune, you can now find that device, and under Monitor, select the Local admin password node, and click on Show Local Administrator Password. 

A screenshot of a computer

Description automatically generated

This reveals a new pane with which you can either copy the password by clicking the icon or click on Show to see it. 

A screenshot of a computer

Description automatically generated

Clicking on Show reveals the complex password based on the rules we set in the policy. 

A screenshot of a computer screen

Description automatically generated

As we’ve now revealed this password, it will be rotated as per the policy at the next password rotation. If you need to change that password quickly, you can of course click on the actions ellipses and select the option available in Intune. 

A screenshot of a computer

Description automatically generated

Take note of the message and after some time,

A screenshot of a computer error

Description automatically generated

it should complete. 

 A close-up of a computer screen

Description automatically generated

 

Troubleshooting 

When you apply the policies above, things may not go according to plan, and the following can help you troubleshoot. In Intune, verify that the device has the required policies applied and that they have a State of Succeeded. 

 A screenshot of a computer

Description automatically generated

 If those policies look good and it’s still not working, then verify that there are no errors in the LAPS event viewer logs. Below are some sample errors. 

Administrator account was disabled. 

A screenshot of a computer

Description automatically generated

 See https://go.microsoft.com/fwlink/?linkid=2220550 for more information. 

Failure to configure policy to backup the password to Entra ID.  

The current policy is configured to backup the password to Active Directory, but the machine is only joined to Azure Active Directory. Please configure the policy to backup the password to Azure Active Directory. No action will be taken until this is corrected. 

 

LAPS with PowerShell 

Troubleshooting using PowerShell is also possible. See the following link for details of the Windows LAPS cmdlets and descriptions of what they do. There is even a cmdlet to get LAPS diagnostics, shown below called Get-LapsDiagnostics. This generates a ZIP file with LAPS events, registry keys and more. 

 A screenshot of a computer

Description automatically generated

Before retrieving passwords with the cmdlet, connect to MgGraph using the following scope.  

Connect-MgGraph -Scopes DeviceLocalCredential.Read.All 

To query the LAPS password for an Entra ID device, provide its device id (dsregcmd /status will reveal it, or you can get it from Intune/Entra ID) and review the output by using the following cmdlet: 

Get-LapsAADPassword -DeviceIds $deviceID -IncludePasswords -AsPlainText 

 A screenshot of a computer

Description automatically generated

 

Taking a Proactive Approach with LAPS  

Proactive endpoint management is essential for safeguarding organizational assets. Windows LAPS provides organizations with the power to carry out administrative tasks on local devices using a tenant wide, policy controlled, local Administrator user with complex passwords saved securely in the Cloud (or also to on-premises in hybrid environments). Windows LAPS not only strengthens the security of local administrator accounts but also empowers IT teams with the tools they need to enforce policies, manage privileged access, and protect against common attack vectors. By implementing LAPS, organizations can enhance their overall security posture and ensure that they are prepared to tackle the challenges of modern IT management and cybersecurity. Don’t wait for an incident to occur—take action now to secure your endpoints and stay ahead of potential threats. 

 

Thank you to Niall and Paul for sharing their insights. For more on a proactive approach to endpoint management and patching, check out our latest eBook, “From Reactive to Proactive: 5 Best Practices for Autonomous Vulnerability Patching”  

AdobeStock_488605053

Ready to Get Started?

Schedule a one-on-one demo today.

Request a Demo