top of page
Search

Deploying Windows LAPS with Intune

  • Writer: Gareth Oxendine
    Gareth Oxendine
  • Oct 13, 2024
  • 5 min read

Updated: Oct 22

ree

Introduction

Are you looking to transition away from the legacy Microsoft LAPS GPO to the new Windows LAPS? If so, you've come to the right place! This article will show you how to deploy the new Windows LAPS in an environment that already has the legacy LAPS installed and how to remove the legacy LAPS components once the deployment is complete. Let's begin!


Table of Contents


What is LAPS?

Microsoft's LAPS (Local Administrator Password Solution) is a simple program that provides great security benefits. If your company manages Windows machines, you may have a local admin account on all your machines. This account may be the Administrator account provided by Windows or another local account created by your IT department. Rather than use the same password for the admin account on all devices or keep a database of passwords, LAPS creates and stores the password for you!


Originally, LAPS was configured using Group Policy, and the client software for LAPS had to be installed on each device. With the new Windows LAPs, however, you can use Intune to deploy LAPS, and the client software comes preinstalled with the newer versions of Windows! According to Microsoft, "Intune policies manage LAPS by using the Windows LAPS configuration service provider (CSP)." To learn more about what CSPs are, click the link below:


Prerequisites

  1. Your tenant has an Intune P1 or P2 license.

  2. Devices are up to date. Remember, LAPS is preinstalled if your devices have one of these update versions or newer:

    1. Windows 11 22H2 - April 11 2023 Update

    2. Windows 11 21H2 - April 11 2023 Update

    3. Windows 10 - April 11 2023 Update

  3. Administrator accounts need the necessary roles/permissions based on the LAPS function they'll be performing. Note that the Entra ID Intune Administrator role already includes all of the functions below:

    1. To create the LAPS policy, you'll need one of the following:

      1. Endpoint Security Manager role

      2. A custom Intune role that has all of the security baselines permissions checked.

    2. To view and rotate passwords, create a custom Intune role and assign it the following permissions:

      1. Managed devices: Read

      2. Organization: Read

      3. Remote tasks: Rotate Local Admin Password

    3. To only view passwords, you can create a custom Entra ID role with the following permission:

      1. microsoft.directory/deviceLocalCredentials/password/read


Deployment Steps

NOTE:

If computers are currently using the legacy Microsoft LAPS, the new Windows LAPS will take precedence once assigned. See the quote from Microsoft below:

Windows LAPS CSP configurations take precedence over, and overwrite, any existing configurations from other LAPS sources, like GPOs or the Legacy Microsoft LAPS tool. --Microsoft

Step 1: Enable LAPS in Entra ID

Enabling Microsoft Entra LAPS or Local Administrator Password Solution in Entra ID.

  • Launch the Entra ID Portal.

  • Select Identity > Devices > All Devices > Device settings.

  • Select Yes under Enable Microsoft Entra Local Administrator Password Solution (LAPS).

  • Select Save.



Step 2: Create the Intune Endpoint Security LAPS Policy

Creating an Intune Endpoint Security Account Protection LAPS policy.

  • Launch the Intune Portal.

  • Select Endpoint Security.

  • Expand Manage and select Account Protection.

  • Select Create Policy.


Creating an Intune Endpoint Security Account Protection LAPS policy.

  • Platform: Windows

  • Profile: Local admin password solution (Windows LAPS)

  • Select Create.


Entering a name and description for our Intune Endpoint Security LAPS policy.

  • Enter a Name for the policy.

  • Optionally, enter a description for the policy.


Configuring our Intune Endpoint Security LAPS policy.

  • Edit the following settings:

    • Backup Directory: Backup the password to Azure AD only

    • Password Age Days: Choose how often the password rotates.

    • Administrator Account Name: Enter the local administrator's account name that LAPS will be applied to. If you want it to be the default administrator account that comes with Windows, leave this field blank.

    • Password Complexity: Choose which characters are allowed in the password; you can also choose to enforce a passphrase (using words in a phrase rather than a random string of characters).

    • Password Length or Passphrase Length: Depending on what you chose for the Password Complexity field, you can select how many characters or words are in the password or passphrase, respectively.

    • Post Authentication Action: Choose what happens after the LAPS password is used to sign in; if set to not configured, the default action is to reset the password and logoff the managed account.

    • Post Authentication Reset Delay: choose how long Intune waits after a LAPS password is used before triggering the Post Authentication Action above. Entering a value of 0 will disable the Post Authentication Action.

    • Automatic Account Management Enabled: Choose whether or not you want to manage the account using this policy. If you choose yes, additional fields appear, including the option to create the account! Yes, you can use this policy to also create the account you want LAPS to manage!

    • Automatic Account Management Enable Account: Choose whether the account is enabled or disabled.

    • Automatic Account Management Randomize Name: Choose whether or not the name receives a random numeric suffix each time the password is rotated. The default is that it does not.

    • Automatic Account Management Target: Choose whether the managed account is the default Administrator account or a new account.

    • Automatic Account Management Name or Prefix: If you chose to use the default Administrator account, then the value of this field will be the prefix to Administrator. If you chose to create a new account, the value of this field will be used as the account's name, and this field will also need to match the Administrator Account Name field at the top of the page.

  • Select Next.

  • Select a scope tag(s) if needed, add the appropriate assignment, and review + create the policy.

TIP:

Although not required, it is recommended to test the LAPS policy on a few test machines before deploying it company-wide.


Step 3: Check to See if it Worked

Showing or Viewing the LAPS password using the Intune portal.

  • Launch the Intune Portal.

  • Select Devices and search for and select a device targeted by the policy.

  • Expand Monitor and select Local admin password.

  • Select Show local administrator password and then select Show.

NOTE:

If you don't see the LAPS password immediately, the device may not have received the Intune policy yet. Try syncing the device using the Intune portal. See the steps from Microsoft below: 1. Sign in to the Microsoft Intune admin center.

2. Select Devices > All devices.

3. Select a device to open its Overview pane and select Sync.

4. To confirm, select Yes.


Step 4: Disable the Legacy LAPS GPO

If you are currently deploying LAPS with a GPO, then you can disable the GPO once the Intune LAPS policy successfully deploys to all machines. Also, if you are currently deploying the legacy LAPS client software, you can remove the deployment.



Step 5: Uninstall the Legacy LAPS Client Software

If your devices have the legacy LAPS client software installed, you can use Intune to deploy the script below to uninstall the legacy software. To learn more about how to deploy PowerShell scripts using Intune, click here.





Cover Picture provided by Freepik

Never Miss a Post. Subscribe Now!

Want to be notified whenever a new article is posted? Enter your email address and subscribe!

Thanks for submitting!

© 2024 by DMTT. Powered and secured by Wix

bottom of page