How to setup Windows LAPS in Azure AD and Intune.

Share This

In this tutorial I will show you how you can use Local Administrator Password Solution (LAPS) in Azure Active Directory and Microsoft Intune. It’s been a long time coming but Microsoft have finally announced Windows LAPS is now in Public Preview and will enable you to centrally manage the Local Administrator passwords of Azure AD Joined Devices.


In order to backup Local Admin Passwords to Intune/Azure Ad your devices will need to be on the below OS or above.

Azure AD Joined Devices

Devices that are azure AD Joined only, can only backup Local Admin Passwords to Azure AD.

Hybrid Azure AD Joined Devices

Devices that are hybrid joined can use LAPS to backup Local admin passwords to either Azure Active Directory or Windows Server Active Directory, but not both.

Getting Started

To Begin, head to Azure Active Directory (Entra) and select Devices > Overview & Device Settings.

Scroll down to Enable Azure-AD Local Admin Password Solution (LAPS) and toggle it on.

Hit Save. It May take around 15 mins to take effect.

Head over to Intune and click the Endpoint Security blade.

Click ‘Create New Policy‘ selecting Windows 10 and Later and Local admin password solution (Windows LAPS), create profile.

Give your profile a suitable name and description.

Configure the following options;

Backup Directory: Backup to Azure AD Only

Password Age Days: Not Configured (This will default to 30 days rotation but you can change if desired)

Administrator Account Name: Not Configured (This is useful if your local admin accounts are under a different name than the default, changing this will not rename the local admin account)

Password Complexity: Not Configured (Default is most secure setting)

Password Length: 20 (Personal Preference but higher the number the better)

Post Authentication actions: Not Configured

Assign the policy to your testing/sandbox group of devices.

Review and create the policy.

Allow ample time for the new policy to sync and take effect on devices.

In Intune, find the device you want to view the password for and navigate to ‘Local Admin Password

Here you can click ‘Show Local Admin Password‘ to view the current local admin password and rotation information

You can also view all Local Admin Passwords by going back to the Devices > Overview >Local Administrator Passwords Revovery (Preview) section in Azure AD (Entra).



Did you enjoy this article?
Signup today and receive free updates straight in your inbox. We will never share or sell your email address.

Leave a Reply

Your email address will not be published. Required fields are marked *