Updated – 25/10/2023 – Windows Local Administrator Password Solution with Microsoft Entra ID is now Generally Available!
Managing local administrator accounts can be challenging, especially in large environments with numerous systems and multiple administrators. One of the significant challenges is ensuring that local administrator passwords are strong, unique, and regularly updated to prevent unauthorized access and potential security breaches.
Windows LAPS has been revamped to integrate into the Windows platform to securely rotate and backup passwords using Azure Active Directory (Azure AD), part of Microsoft Entra.
In this article, we will discuss what Windows LAPS is with Microsoft Entra in Azure AD and how to use it with Microsoft Intune.
In This Article
Local Administrator Password Solution
Many years ago, the Microsoft Local Administrator Password Solution (LAPS) was introduced as a solution to address local admin account challenges. It was initially described as a “sophisticated and efficient method for Active Directory domain-joined systems, which regularly assigns a new random and distinct value to each computer’s admin account password.”
As we all know, every Windows device comes with a built-in local administrator account that we must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. LAPS is a Windows feature that automatically manages and backs up the password of the local admin account. LAPS was designed to help you protect your devices from these kinds of attacks.
The LAPS solution stored passwords in a secured confidential attribute on the corresponding computer object in Active Directory and only specifically authorized users could retrieve it. This requires extending the Active Directory schema using PowerShell.
The legacy Microsoft LAPS and Windows LAPS can be managed with Group Policy, but Microsoft recently announced that they are making Windows LAPS (Preview) available to you for both Azure AD joined and hybrid Azure AD joined devices.
Additionally, Windows LAPS is now built-in into the following Windows version:
- Windows 10 20H2, 21H2, and 22H2 with April 2023 security update and later.
- Windows 11 21H2 with April 2023 security update and later.
- Windows 11 22H2 with April 2023 security update and later.
- Windows Server 2019 with April 2023 security update and later.
- Windows Server 2022 with April 2023 security update and later.
This means that you can manage local administrator accounts with Azure AD and Microsoft Intune. The following are requirements for Intune to support Windows LAPS in your Tenant:
* Intune subscription – Microsoft Intune Plan 1, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.
* Azure Active Directory – This is the free version of Azure AD that’s included when you subscribe to Intune. With Azure AD Free, you can use all the features of LAPS.
Now, how to use Windows Local Administrator Password Solution with Azure Active Directory (Azure AD), part of Microsoft Entra?
Turn On LAPS in Entra Azure AD
You can turn on LAPS with a tenant-wide policy in Azure AD using a single click in the Microsoft Entra admin center.
Sign in to the Microsoft Entra admin center, then under Azure Active Directory > Devices, select All Devices, and then click on Device settings. Scroll down to the Local administrator settings and then select ‘Enable Azure AD Local Administrator Solution (LAPS)‘ and hit ‘Save‘ as shown in the figure below.
Once you enabled Windows LAPS with Azure AD, you need to configure the client-side policy and set the BackUpDirectory to Azure AD.
If you already have Microsoft Intune licenses, then you can use Intune to manage client-side policies (more on this in the next section) or you can use Group Policy Objects (GPO) to manage client-side policies.
Manage Windows LAPS using Microsoft Intune
The Intune LAPS policy enables the management of local administrator accounts on devices, though it only supports a single account per device. It is important to note that the Intune policy takes precedence over a policy deployed through Group Policy Object (GPO).
Utilizing Microsoft Intune for LAPS management can enhance security in remote help desk scenarios and facilitate the recovery of otherwise inaccessible devices.
To initiate the deployment of the LAPS policy, you need to access Microsoft Intune Admin Center and navigate to Endpoint security > Account protection. From there, choose the option to create a new policy.
Next, select the platform (Windows 10 or later), and then choose the Local admin password solution (Windows LAPS) profile and click Create.
Next, on the Basics tab provide a suitable name for the policy and then proceed to select the Configuration settings that align with your organization’s requirements. You can configure the following settings for LAPS:
* Backup Directory: You can use this setting to configure which directory the local admin account password is backed up to. The allowable settings are, Disabled (password will not be backed up), Backup the password to Azure AD only, Backup the password to Active Directory only, or Not configured.
* Password Age Days: You can use this policy to configure the maximum password age of the managed local administrator account. If not specified, this setting will default to 30 days This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD. This setting has a maximum allowed value of 365 days.
* Administrator Account Name: You can use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by a well-known SID (even if renamed). If specified, the specified account’s password will be managed. Note: if a custom-managed local administrator account name is specified in this setting, that account must be created via other means. Please note that specifying a name in this setting will not cause the account to be created.
* Password Complexity: You can use this setting to configure the password complexity of the managed local administrator account. The allowable settings are Large letters, Large letters + small letters, Large letters + small letters + numbers, Large letters + small letters + numbers + special characters, or Not configured.
* Password Length: You can use this setting to configure the length of the password of the managed local administrator account. If not specified, this setting will default to 14 characters. This setting has a minimum allowed value of 8 characters. This setting has a maximum allowed value of 64 characters.
* Post Authentication Actions: You can use this setting to specify the actions to take upon expiration of the configured grace period. If not specified, this setting will default to 3 (Reset the password and log off the managed account).
* Post-Authentication Reset Delay: You can use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If not specified, this setting will default to 24 hours. This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). This setting has a maximum allowed value of 24 hours.
Once done, you need to assign the policy to the desired users, groups, or devices, thus completing the deployment of LAPS with Intune.
// It’s recommended to assign the LAPS policy to device groups. When policies are assigned to user groups, they follow the user as they switch devices. This can lead to inconsistent behavior, such as uncertainty regarding which account the device backs up or when the password for managed accounts is scheduled for rotation.
Last, in Review + Create, review your settings and then select Create. When you select Create, your changes are saved, and the LAPS profile is assigned. The policy is also shown in the policy list as shown in the figure below.
Once the LAPS profile is assigned, the helpdesk can view rotated passwords and manually rotate passwords.
View Passwords using Azure AD and Intune
To obtain the login password for a device, you have two options, you can either use Azure AD or Microsoft Intune.
In Azure AD, The Helpdesk admins can now view rotated passwords under the Devices | Local administrator password recovery blade in Azure AD or Microsoft Entra.
- Microsoft Entra: Devices | Local administrator password recovery
- Azure AD: Devices | Local administrator password recovery
Locate the specific device within Azure AD or Microsoft Entra and then click the “Local administrator password recovery” blade, then select the local administrator password and click “Show” or copy the password to the clipboard.
Using Microsoft Intune, you need to locate the specific device within Intune and then click on “Local admin password” as shown in the figure below, then choose the option to “Show local administrator password“, allowing you to retrieve the current password for administrative access.
As described in the previous section, the LAPS policy incorporates a predefined schedule for automatically rotating account passwords using the “Password Age Days” settings. However, apart from the scheduled rotation, you have the option to manually rotate the password for a device using the Intune device action called “Rotate local admin password.” This manual rotation allows for independent password changes on the device, separate from the rotation schedule defined by the device’s LAPS policy.
That’s it there you have it!
Role-Based Access Controls for LAPS
To manage LAPS, an account must have sufficient role-based access control (RBAC) permissions to complete a desired task. As a best practice, you should create a custom role to view LAPS passwords, and then manage that role with Privileged Identity Management (PIM).
The following are the available tasks for LAPS with their required permissions:
* Create and access LAPS policy – To work with and view LAPS policies, your account must be assigned sufficient permissions from the Intune RBAC category for Security baselines. By default, these are included in the built-in role of Endpoint Security Manager. To use custom roles, ensure the custom role includes the rights from the Security baselines category.
* Rotate local Administrator password – To use the Intune admin center to view or rotate a device’s local admin account password, your account must be assigned the following Intune permissions:
- Managed devices: Read
- Organization: Read
- Remote tasks: Rotate Local Admin Password
* Retrieve local Administrator password – To view password details, your account must have one of the following Microsoft Entra ID permissions:
* View Microsoft Entra audit logs and events – To view details about LAPS policies and recent device actions such as password rotation events, your account must have permissions equivalent to the built-in Intune role Read Only Operator.
To create custom roles that can grant these permissions, see Create and assign a custom role in Microsoft Entra ID in the Microsoft Entra ID documentation.
How much does it cost to use Windows LAPS in Azure AD?
LAPS is available for Free in Azure AD.
Is Microsoft Intune required to Manage Windows LPS?
No, if your devices are Azure AD joined but you’re not using Microsoft Intune or Microsoft Intune isn’t supported (like for Windows Server 2016/2019/2022), you can still deploy and manage Windows LAPS for Azure AD manually using Group Policy.
How Windows LAPS is managed?
Please note that if your servers are domain-joined, then you also must have hybrid Azure Active Directory join configured in your environment (either through Federation or Azure AD Connect Sync), and Azure AD Connect Sync must include the device (server) objects in scope (OU) for synchronization with Azure Active Directory (when needed for join).
What happens when a device is deleted in Azure AD?
If a device is deleted in Azure AD, the associated LAPS credential and the password stored in Azure AD are lost. Unless a custom workflow is implemented to externally retrieve and store LAPS passwords, there is no built-in method in Azure AD to recover the LAPS-managed password for a deleted device.
What roles are needed to obtain LAPS passwords?
The permission to get and obtain LAPS passwords is granted to certain built-in roles in Azure AD, including Global Administrator, Cloud Device Administrator, and Intune Administrator.
What is the difference between Windows LAPS and Microsoft LAPS?
Windows LAPS incorporates several design concepts from the legacy Microsoft LAPS. If you are acquainted with the legacy Microsoft LAPS, you will find many familiar features in Windows LAPS. However, a significant distinction is that Windows LAPS is a distinct implementation that is integrated directly into the Windows platform.
Additionally, Windows LAPS introduces numerous features that were not present in the legacy Microsoft LAPS. With Windows LAPS, you can securely back up passwords to Azure Active Directory, encrypt passwords within Windows Server Active Directory, and maintain a record of your password history.
You can still download an earlier version of Local Administrator Password Solution, legacy Microsoft LAPS.
How to migrate Microsoft LAPS to Windows LAPS?
Windows Local Administrator Password Solution can be configured to respect the Group Policy settings from the legacy Microsoft LAPS, albeit with certain restrictions and limitations. This functionality is referred to as the “legacy Microsoft LAPS emulation mode“.
Emulation mode can be utilized when migrating an existing deployment of the legacy Microsoft LAPS. Please refer to the official documentation to plan your migration.
Can I run Microsoft LAPS and Windows LAPS side-by-side?
You may have a requirement to implement a more gradual migration procedure from legacy Microsoft LAPS to Windows LAPS as a transient side-by-side coexistence approach.
Please note that with this approach, it’s necessary to create a second local admin account since Microsoft does NOT support having both a Windows LAPS policy and a legacy LAPS policy targeting the same account.
In this scenario, the second local admin account would be exclusively managed by Windows LAPS, not legacy LAPS, so the password can go straight into Azure AD (AAD). If you try and manage the same account with Windows LAPS and the legacy MSI is still installed, then it will fail.
Once you have a new local admin account in Azure AD, you can start the decommissioning process for the Legacy MSI LAPS (Monitor, Remove policy, and uninstall legacy MSI LAPS) as described by Microsoft in this guide.
How to mitigate abuse in Windows LAPS?
You gave a Windows LAPS password to a” user. What prevents the user from putting his own account into the group of local admins?
Through Microsoft Intune, you could leverage the new Policy CSP – LocalUsersAndGroups with restricted groups, which is available through the Account Protection menu. This setting allows you to manage local groups on a Device.
Make sure you use a (Replace) setting versus an (Update) in the account protection policy (configuration settings). And make sure the policy sets the managed account so it doesn’t get wiped out.
In this article, we discussed what Windows LAPS is with Microsoft Entra and how it works with Azure AD and Microsoft Intune.
LAPS is the management of local account passwords on Windows devices. LAPS provides a solution to securely manage and retrieve the built-in local admin password. With the cloud version of LAPS, you can enable storing and rotation of local admin passwords for both Azure AD and Hybrid Azure AD join devices.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.