In this tutorial I will show you how you can use Local Administrator Password Solution (LAPS) in Azure Active Directory and Microsoft Intune. It’s been a long time coming but Microsoft have finally announced Windows LAPS is now in Public Preview and will enable you to centrally manage the Local Administrator passwords of Azure AD Joined Devices.
Prerequisites
In order to backup Local Admin Passwords to Intune/Azure Ad your devices will need to be on the below OS or above.
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 – April 11 2023 Update
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
Azure AD Joined Devices
Devices that are azure AD Joined only, can only backup Local Admin Passwords to Azure AD.
Hybrid Azure AD Joined Devices
Devices that are hybrid joined can use LAPS to backup Local admin passwords to either Azure Active Directory or Windows Server Active Directory, but not both.
Getting Started
To Begin, head to Azure Active Directory (Entra) and select Devices > Overview & Device Settings.
Scroll down to Enable Azure-AD Local Admin Password Solution (LAPS) and toggle it on.
Hit Save. It May take around 15 mins to take effect.
Head over to Intune and click the Endpoint Security blade.
Click ‘Create New Policy‘ selecting Windows 10 and Later and Local admin password solution (Windows LAPS), create profile.
Give your profile a suitable name and description.
Configure the following options;
Backup Directory: Backup to Azure AD Only
Password Age Days: Not Configured (This will default to 30 days rotation but you can change if desired)
Administrator Account Name: Not Configured (This is useful if your local admin accounts are under a different name than the default, changing this will not rename the local admin account)
Password Complexity: Not Configured (Default is most secure setting)
Password Length: 20 (Personal Preference but higher the number the better)
Post Authentication actions: Not Configured
Assign the policy to your testing/sandbox group of devices.
Review and create the policy.
Allow ample time for the new policy to sync and take effect on devices.
In Intune, find the device you want to view the password for and navigate to ‘Local Admin Password‘
Here you can click ‘Show Local Admin Password‘ to view the current local admin password and rotation information
You can also view all Local Admin Passwords by going back to the Devices > Overview >Local Administrator Passwords Revovery (Preview) section in Azure AD (Entra).
#EdTech Network Manager, experienced in Microsoft 365, Server 2019, Intune, SCCM and anything inbetween.