In today’s interconnected world, securing local administrator accounts is crucial for organizations. Microsoft Intune, a cloud-based endpoint management solution, offers a powerful feature called LAPS (Local Administrator Password Solution) to address this challenge. By integrating LAPS with Microsoft Intune, organizations can effectively manage and secure local administrator account passwords on Windows devices. In this blog post, we will explore the benefits of configuring LAPS through Microsoft Intune and discover how this combination can enhance your organization’s security. Let’s delve into the world of Microsoft Intune and LAPS configuration for robust cybersecurity.
In this blog post, we will guide you through the process of configuring LAPS using Microsoft Intune. Here’s an overview of what you’ll discover:
- Step 1: Enable LAPS service
- Step 2: Creating a script for automatic creation of a Local Administrator: We will walk you through the process of creating a script that automates the generation for the Local Administrator account on Windows devices.
- Step 3: Creating the Policy: Learn how to leverage Microsoft Intune to create and deploy policies that enforce LAPS configurations. We will cover the essential settings and options to consider when crafting an effective policy that aligns with your organization’s security requirements.
Table of Contents
What is LAPS (Local Administrator Password Solution)
APS, or Local Administrator Password Solution, is a Microsoft tool that allows organizations to securely manage the local administrator passwords of their computers. In many organizations, all computers are set up with a default local administrator account. If this password is the same across multiple machines, it poses a security risk. If one machine is compromised, the attacker could potentially access all machines with the same administrator password.
LAPS addresses this issue by automatically managing the password for the local administrator account on each computer.
Enable LAPS service
We first need to enable the LAPS service. Just follow the steps below.
- Go to https://entra.microsoft.com/
- Click on Identity
- Click on Devices
- Click on Overview
- Click on Device settings
- Scroll down to the Local administrator settings
- Enable the Microsoft Entra LAPS service
Create Local Administrator with script
To create a new Script follow these steps:
- Create a PowerShell script
- Copy the following script:
$PASSWORD= ConvertTo-SecureString -AsPlainText -Force -String [PASSWORD] New-LocalUser -Name "[ADMINISTRATOR NAME]" -Description "Local Administrator" -Password $PASSWORD Add-LocalGroupMember -Group "Administrators" -Member "[ADMINISTRATOR NAME]"
- In the [PASSWORD] field enter a random Password. Don’t worry, this password will not be used later. It will be replaced by the LAPS service.
- In the [ADMINISTRATOR NAME] (2 fields) enter the Username of your Admin
Example:
- Save this PowerShell Script. I named it “CreateLocalAdmin.ps1“
- Go to endpoint.microsoft.com
- Click on Devices
- Click on Windows
- Click on PowerShell scripts
- Click on Add
- Give the Policy a name. For example: Create Local Admin
- Click on Next
- Upload your script
- Run this script using the logged on credentials: No
- Enforce script singature check: No
- Run script in 64 bit PowerShell Host: Yes
- Click on Next
- Assign it to a Group
- Click on Next
The Script is successfully uploaded.
Configure LAPS Policy
We are now going to create the LAPS Policy in Microsoft Intune. Follow these steps:
- Go to endpoint.microsoft.com
- Click on Endpoint security
- Click on Account protection
- Click on Create Policy
- Choose Windows 10 and later as Platform
- Choose Local admin password solution (Windows LAPS)
- Click on Create
- Give it a Name
- Click on Next
Here we can Configure the LAPS settings:
- Backup Directory:
- When using Cloud only choose Backup the password to Azure AD only
- When using hybrid solution you can either choose Backup the password to Active Directory only or Backup the password to Azure AD only
I recoment always using the Azure AD as Backup
- Password Age Day: Configure how often Password rotation should be done. 30 Days
- Administrator Account Name: Enter here your Administrator Name which you have entered in you PowerShell script.
- Password Complexity: Which Password Complexity do you want for your Administrator
- Password Length: How long should the password be
- Click on Next
- You can skip the Scope tags
- On the Assignments add a Group or All Users / Devices
- Review and Create
Congratulations! You have successfully deployed the policy.
When now deploy a new device, the Local Administrator will be created and the Policy will implement LAPS.
To read the password, click on a device and go to Local admin password. You now can see the local administrator password.
Conclusion
You learned how to configure LAPS (Local Administrator Password Solution) with Microsoft Intune. We first created a script to automatically generate a local administrator on the local windows client. In the second step we created the LAPS configuration policy and covered the essential settings and options. If you need further information you can check out the official Microsoft LAPS documentation.
Did you enjoy this article? Don’t forget to follow us and share this article. You may also like How to create a Local Admin with Microsoft Intune.
Laps administrator account password is different or unique on each windows 10 devices
This is unique on each windows device.