Enable Windows LAPS With Intune

Ok! So you've finally decided to enable Windows Laps ? Great !

Windows Laps ensures that each Windows device enrolled to Intune have a unique local administrative password. This is very important security feature that make sure that you do not have static local passwords and also that you need to login to Intune to retrive them.

Let's get started!

Windows client pre-reqs:

Windows 11 22H2 – April 11 2023 Update
Windows 11 21H2 – April 11 2023 Update

There are couple of things that you need to configure:
- Enable LAPS in you Tenant
- Enable the local administrator account [as this is disabled by default on Windows 11]
- Configure the settings for LAPS

Enable LAPS in your Tenant:

1. Sign in to the Azure Portal (https://portal.azure.com)

2. Navigate to Entra ID

3. In the left pane, expand Manage

4. Click on Devices and expand Manage

5. Click on Device settings

6. Scroll down and you will find the Enable Microsoft Entra Local Administrator Password Solution (LAPS) button.

7. Click YES and then click Save on the top of the page banner.
   

LAPS is now activated and available to be used within the Tenant.

On an enrolled (corporate) Windows 11 device, the administrator account will be disabled as default. If you want to use a custom local account instead, you must create that account before enabling Windows LAPS - Windows LAPS doesn't create the account.

1. Log in to Intune

2. Click on Devices – Windows - Configuration

3. Select Create – New Policy – Windows 10 and later – Settings catalog

4. Name: Enable Local Administrator account for LAPS
   Description: Leave blank

5. Click Next

6. Click Add Settings

7. In the Search for setting box, type Accounts Enable Administrator Account Status, click Search

8. Click on the Local Policies Security Option

9. In the selection box below, select the checkbox for Accounts Enable Administrator Account Status

10. Close the Settings Picker and click the disabled button on the Accounts Enable Administrator Account Status to Enable it.

11. Click Next

12. Scope tags: Leave as is

13. Assignments: select All Devices

14. Click Next

15. Click Create

At the next device sync, the local administrator account will be enabled on all targeted devices.

You can now use this account with Windows LAPS .

Now that the account is enabled, you need to set the password complexity and how the password will be managed, i.e., rotated automatically or manually etc.

1. Sign in to Intune

2. Navigate to Endpoint Security

3. Expand Manage and select Account Protection

4. Click Create policy

5. Select platform: Windows

6. Select profile: Local admin password solution (Windows LAPS)

7. Click Create

8. Name: Windows LAPS settings

9. Backup directory: Back up the password to Azure AD only

10. Password age days: Not configured

11. Administrator account name: Leave as is

12. Password complexity: Large letters + small letters + numbers + special characters (Default)

13. Password length: 8 (note, in the real world you would set at least 14, however, this is a lab so to make it easy to test the sign in, we will keep it at the minimum requirement)

14. Post authentication actions: Leave as is. (In a real-world scenario, you may want to make sure that autorotation is enabled)

15. Post authentication reset delay (In a real-world scenario, you may want to set a time limit)

Wait for the next sync an the configuration will be enabled.

Now, try to run CMD as administrator to verify the functionality

1. Log in to Intune, click on Devices – Windows and click on the computername to open the computer object.

2. In the left pane click on Local admin password click on Show Local Administrator password, this will display the current password.

3. Now, log in to computer

4. In the search bar, type CMD

5. Right Click on the Command Prompt and select Run as administrator

6. Username: .\administrator (dot and then backslash)

7. Password: the password displayed in Intune

8. Command Prompt should now open in administrator mode

That's it !

Go 4 IT ! 😀