Enable Windows LAPS using Azure AD & Intune

With the recent announcement of Windows LAPS support for Azure AD & Intune, you might need or want to know how to enable this functionality. Follow on, for how.

The first thing you will need to do, is login to your Azure AD administration portal and enable support for Windows LAPS on your devices. In addition to this, you’ll also need to think about the local administrator account, more specifically, what you want to call it. By default Windows LAPS will attempt to enable the built-in local administrator account (which is disabled out of the box). Whilst we’re going to need a local admin account to be present, I would strongly recommend that as a minimum, this account is renamed using an additional Intune Configuration Profile (shown herein). [A better approach may be to create an entirely new account altogether so that the SID of this new user differs from the built-in local admin account].

From the Azure AD portal landing page, click Devices on the left hand side.

Click Device Settings

And then scroll down to “Enable Azure AD Local Administrator Password Solution (LAPS)“. Set this to Yes.

Now switch over to Intune, and go to your Windows Configuration Profiles section. (Devices > Windows > Configuration Profiles, depending on your Intune view).

Click on Create Profile, select Windows 10 and Later and then Settings Catalog. Within the Settings Catalog, scroll down to or search for Local Policies Security Options. Tick the following settings for inclusion:

  • Accounts Enable Administrator Account Status (Enable)
  • Accounts Rename Administrator Account (As required)

And then define the settings as required (Shown below). Make a note of what you rename the local admin account to, as this will be required for LAPS configuration.

Save and assign this newly created profile to All Devices. Once this policy is applied, the built in admin account will be enabled, and renamed to whatever you defined. Next we need to configure LAPS.

From the Intune menu, click on Endpoint Security, and then Account Protection.

Click on Create Policy that sits in the top menu bar, somewhat centrally. Choose Windows 10 and Later, and select the Local admin password solution (Windows LAPS) profile.

Give the profile a name and a description that fits your environment.

The define the configuration settings that you require. This is where you need to recall the name of the newly renamed local admin account.

An explanation of each setting is below.

Backup DirectoryUse this setting to configure which directory the local admin account password is backed up to. The allowable settings are: 0=Disabled (password will not be backed up) 1=Backup the password to Azure AD only 2=Backup the password to Active Directory only If not specified, this setting will default to 0.
Password Age (Days)Use this policy to configure the maximum password age of the managed local administrator account. If not specified, this setting will default to 30 days This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD. This setting has a maximum allowed value of 365 days.
Administrator Account NameUse this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). If specified, the specified account’s password will be managed. Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.
Password ComplexityUse this setting to configure password complexity of the managed local administrator account. The allowable settings are: 1=Large letters 2=Large letters + small letters 3=Large letters + small letters + numbers 4=Large letters + small letters + numbers + special characters If not specified, this setting will default to 4.
Password LengthUse this setting to configure the length of the password of the managed local administrator account. If not specified, this setting will default to 14 characters. This setting has a minimum allowed value of 8 characters. This setting has a maximum allowed value of 64 characters.
Post Authentication ActionsUse this setting to specify the actions to take upon expiration of the configured grace period. If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
Post Authentication Reset DelayUse this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If not specified, this setting will default to 24 hours. This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). This setting has a maximum allowed value of 24 hours.
Table showing Microsoft’s tooltip for each option.

Once this policy is configured, save this and assign it to All Devices.

Once sufficient “Microsoft Minutes” have passed, the policies should apply, and then in due course, the Local Admin Password should appear within the “Local Admin Password” menu option that now exists against the device.

When you click on the Local Admin Password menu item, you’re forwarded to the LAPS pane in which you can review the currently configured local admin password.

Now you have the password for the local admin account, you can simply head over/connect to the device in question and attempt to login using the account credentials. Happy days…

A few other things to note…

From the Device Overview page, we now have the ability to “Rotate Local Admin Password“. This is done from within the “additional options” (3 dots). Rotating the password will appear as an action in the Device overview page, and the rotation date/time will also be reflected in the Local Admin Password page.

…Audit trail

Unlike the community solution “CloudLAPS“, there doesn’t yet seem to be any audit trail or graphical reporting capabilities, at least out of the box. On the basis most folks are seeking simple, yet functional, this is probably something that you can overlook, at least short term, when you consider the ease of enabling Windows LAPS vs that of configuring CloudLAPS, which, whilst not overly difficult, requires Log Analytics workspaces to be created and App Registrations etc.. an unnecessary complication if you compare it to Windows LAPS.

Big nod to CloudLAPS though, it’s filled a massive void, for a rather long period of time. Too long, really.

James avatar

2 responses to “Enable Windows LAPS using Azure AD & Intune”

  1. Tygo Verspuij

    We’ve already completed these tasks.
    Upon logging into the LAPS Account it says that the account is disabled, we cannot enable this without admin rights on the machine. Any info on that?

    1. James

      If you’re using the “Default/Built In Administrator” account then you must have another policy in place set to disable the Default/Built In Administrator account.

      You could either create a completely separate account (Script, etc), which I have done on occasion, or find and tweak the offending policy/config.

Leave a Reply

Your email address will not be published. Required fields are marked *