In the dynamic field of IT security and management, safeguarding sensitive information stands as a top priority. Central to this effort is the secure handling of administrator passwords, an area where Windows Local Administrator Password Solution (LAPS) plays a pivotal role. It effectively streamlines the management of local administrator passwords on Windows devices.

Historically, the use of fixed, uniform administrator passwords has posed a substantial security threat. If these passwords were to be leaked or compromised, it could lead to unauthorized access to computers. Windows LAPS revolutionizes this scenario by generating, managing, and resetting local administrator passwords for each device. This approach significantly reduces the risk associated with a single compromised password endangering the entire organization’s security.

Taking security measures a step further, integrating Windows LAPS with Entra ID offers additional benefits. By utilizing Entra ID as the centralized platform for storing and managing LAPS passwords, you can tap into the scalability, robust authentication, and advanced security features. This integration ensures consistent and seamless management of administrator passwords across the organization, regardless of the geographical distribution of your Windows devices.

• Benefits: Combining Windows LAPS with Entra ID unlocks a spectrum of advantages that enhance your security and management endeavors:
  • Central Management: When LAPS is enabled within Entra ID, the management of password rotation becomes centralized, simplifying the security management procedure.
  • Strengthening Remote Devices: The rise of remote work underscores the importance of securing devices outside conventional office networks. LAPS plays a pivotal role in protecting remote devices, reducing the threat of unauthorized access.

This configuration is somewhat different from the most you will find on the internet because it will not make use of adding a new local administrator account on your devices by means of OMA-URI or local group membership policies. Why you can ask? Well I’ve seen a lot of issues when using OMA-URI and local group member policies. E.g error messages on your Intune policy but the local admin account was created anyway, and the 2016281112 (Remediation Failed) error code.

I wasn’t happy with that behavior and from my perspective this article covers a better solution.

With an OMA-URI you can create a custom policy in Intune that creates a user, sets a password for that user and puts the user in de local administrators group on your Intune enrolled devices. These are the 2 OMA-URI’s you would use in this case:

• ./Device/Vendor/MSFT/Accounts/Users/localadmin/Password

• ./Device/Vendor/MSFT/Accounts/Users/localadmin/LocalUserGroup

I’m not going into detail about configuring these policies, you can find lot’s of articles about this on the web.

With local administrators group membership you can create a policy in the Endpoint Security – Account Protection section. Here you can specify the same settings as in the OMA-URI policy, you can create a Local user group membership policy with the settings you want.

There are also articles that describe the way on how to do this with the use of recommendation scripts, the downpart of this is that you need an enterprise license to use the recommendation scripts which leads to higher costs.

Anyway, below you can find my solution.

Prerequisites

• An intune license. (standalone or in a Microsoft 365 Bundle)
• Devices need to be on Windows 10/11 aith the April 2023 CU installed.
• For devices under co-management, ensure that the Device Configuration slider within SCCM’s Co-Management settings is adjusted to Intune or Pilot Intune. This setting should be applied to the devices where you intend to implement Windows LAPS deployment. See screenshot.

Configuration

The 1st thing you need to do is to enable LAPS in you azure tenant. Go to the Device settings section in your Entra ID. Under local administrator settings enable LAPS.

Now that this has been enabled you can navigate to the Intune Portal. In Intune we will configure 2 policies:

• A policy that will enable and rename the builtin local administrator account.
• A policy with the settings for LAPS.

Rename and enable the builtin local administrator account

Go to the Windows Configuration Profiles. Click create – new policy, select platform Windows 10 and later and profile type is settings catalog. Give your policy a name and configure these settings. Choose a name that you prefer to rename the builtin Administrator account.

Assign this policy to a device group of your choice.

This is part 1 of creating the needed policies.

Configure the LAPS settings policy

Go to Endpoint Security – Account Protection and click create policy – Platform is Windows 10 and later – Profile is Local admin password solution (Windows LAPS).

Fill in the settings as per your needs.

Assign this policy to a device group of your choice.

Here is a breakdown of all the settings:

• Backup Directory: we will be using “Backup the password to Azure AD only”. If not configured, the default will be “Disabled”.
  • Password age days: This will determine the delay before the password is refreshed to a new one. If you don’t configure that setting, the default is 30 days. You can adjust that to suit your needs.
• Administrator Account Name: Here you fill in the account name that you used in the previous policy, E.g DeviceAdmin
• Password Complexity: The default if not configured is “Large letters + small letters + numbers + special characters”. If you want password simpler, you can change the setting here.
• Password Length: The default setting if not configured is 14 characters. This setting can be set from 8 to 46 characters.
• Post Authentication Actions: This is used to set the action that will limit the amount of time that a LAPS password may be used before being reset. This prevents someone who acquired a LAPS password to use it indefinitely. The default here is to reset the password and log off the admin account. Here are all the options available explained:
  • Reset password: upon expiry of the grace period, the managed account password will be reset
  • Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. (Default behavior)
  • Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset, and the managed device will be immediately rebooted.
• Post Authentication Reset Delay: Sets the delay in hours before the previous actions above is executed. The default is 24 hours.

This is part 2 of creating the policies.

Behavior on the device

After both polices have been applied to device you can check your device on the changes. On you device open Computer Management and check if the builtin Administrator account has been changed. In this example i’ve used DeviceAdmin as the name.

As you can see, the 1st policy has done it’s job perfectly.

Retrieve the password

You can retrieve the password from Intune or Entra ID. In Intune locate your device and click Local Admin Password. Click Show local administrator password to reveal it.

In Entra ID you can find the Local administrator password recovery section under the devices. Also here click show local administrator password to reveal it.

And that is it. You now have configured LAPS without OMA-URI & local user group membership policies. The choice is yours which way you want to do this ofcourse, this is just my personal view on how to configure this feature.