Welcome to our new blog post about How to configure LAPS with Microsoft Intune. To be honest, one of my favorite configuration in Microsoft Intune. Local Administrator accounts play a big role in the security of an environment. That’s why securing it is crucial for organizations. Microsoft Intune, a cloud-based endpoint management solution, offers a powerful feature called LAPS (Local Administrator Password Solution) to address this challenge. By integrating LAPS with Microsoft Intune, organizations can effectively manage and secure local administrator account passwords on Windows devices. In this blog post, we will explore the benefits of configuring LAPS through Microsoft Intune and discover how this combination can enhance your organization’s security. Let’s delve into the world of Microsoft Intune and LAPS configuration for robust cybersecurity.
Table of Contents
What is LAPS (Local Administrator Password Solution)
LAPS, or Local Administrator Password Solution, is a Microsoft tool that allows organizations to securely manage the local administrator passwords of their computers. In many organizations, all computers are set up with a default local administrator account. If this password is the same across multiple machines, it poses a security risk. If one machine is compromised, the attacker could potentially access all machines with the same administrator password. LAPS will automatically use a different administrator password for all devices and will change it regularly.
What are we going to set up?
In this blog post, we will guide you through the process of configuring LAPS using Microsoft Intune. Here’s an overview of what you’ll discover:
- Step 1: Enable LAPS service
- Step 2: Create a local Administrator account
- Step 3: Creating the LAPS Policy
How to configure LAPS with Microsoft Intune
Step 1: Enable LAPS service
Before we will create any configurations we will need to enable the LAPS service. Strange enough this is not in the Entra portal rather than in the Intune portal. This is a very easy step, just follow the steps below.
- Go to https://entra.microsoft.com/
- Click on Identity
- Click on Devices
- Click on Overview
- Click on Device settings
- Scroll down to the Local administrator settings
- Enable the Microsoft Entra LAPS service
Step 2: Create Local Administrator with script
In this step we will prepare the Local Administrator account. You have two options:
- Use the default local administrator account [not recommended]
- Use a personalized local administrator account
It is not recommended using the default administrator account. But if you still consider using it, you can skip this step. There is no extra step needed because the local Administrator account is already created on the device. You can proceed with step 3.
If you want to use a personalized administrator account for example whackasstech-admin, we will first need to create one on each device. This can be done in multiple ways. For example create it manually, with a script or with OMA-URI keys. I have created a blog post where you can have an overview of all options. Please have a look here and come back.
Step 3: Configure LAPS Policy
In this step we will configure the actual LAPS Policy. Make sure you have your local Administrator name ready. Just follow the steps below:
- Go to endpoint.microsoft.com
- Click on Endpoint security
- Click on Account protection
- Click on Create Policy
- Choose Windows 10 and later as Platform
- Choose Local admin password solution (Windows LAPS)
- Click on Create
- Give it a Name
- Click on Next
Here we can Configure the LAPS settings:
- Backup Directory:
- When using Cloud only choose Backup the password to Azure AD only
- When using hybrid solution you can either choose Backup the password to Active Directory only or Backup the password to Azure AD only
I recoment always using the Azure AD as Backup
- Password Age Day: Configure how often Password rotation should be done. 30 Days
- Administrator Account Name: Enter here your Administrator Name which you have entered in you PowerShell script.
- Password Complexity: Which Password Complexity do you want for your Administrator
- Password Length: How long should the password be
- Click on Next
- You can skip the Scope tags
- On the Assignments add a Group or All Users / Devices
- Review and Create
Congratulations! You have successfully deployed the policy.
When now deploy a new device, the Local Administrator will be created and the Policy will implement LAPS.
To read the password, click on a device and go to Local admin password. You now can see the local administrator password.
Conclusion
You learned how to configure LAPS (Local Administrator Password Solution) with Microsoft Intune. We first created a script to automatically generate a local administrator on the local windows client. In the second step we created the LAPS configuration policy and covered the essential settings and options. If you need further information you can check out the official Microsoft LAPS documentation.
Did you enjoy this article? Don’t forget to follow us and share this article. You may also like How to create a Local Admin with Microsoft Intune.
Laps administrator account password is different or unique on each windows 10 devices
This is unique on each windows device.