Windows LAPS (Local Administration Password Solution) is a Microsoft feature that will allow managing and backup of local administrator passwords on devices which are joined to Azure Active Directory or Windows Server Active Directory.
This feature is to regularly rotate the password of a specified local administrator account and store the backup in Azure Active Directory or Active Directory.
The difference between Windows LAPS & Legacy Microsoft LAPS is Windows LAP is integrated with the operating system, whereas in legacy needs to download software separately
When we can use?
- Backup the password of the local administrator to AAD or AD.
- Backup of DSRM account.
- Regularly rotate the password for administrator accounts
The following Windows version has available Windows LAPS
- Windows 11 22H2
- Windows 11 21H2
- Windows 10 after April 11 2023 Update
Windows LAPS deployment for Azure Joined Devices via Intune?
- Goto Intune portal and click on Devices
- Under “Device setting”, Click on “Enable” Azure AD Local Administrator Password Solution (LAPS).
Now, let’s create an account protection policy
- In the Intune portal, click on Endpoint Security and go to Account Protection policy.
- Create a new profile, select the platform and profile name
- Configuration Settings, you can select as per your business requirement:
• Administrator Account Name
• Password Complexity
• Password Length
• Post Authentication Actions
• Post Authentication Reset Delay - Choose assignments to deploy (you can choose all devices or create a group to apply on particular devices.
- Check the status report.
Now let’s check the password of the local administrator account in Intune.
You can manually rotate the local admin password if required.
