Before we start, if you lack knowledge about Azure terminology from this blog, feel free to visit this page, where we try to add terminology from time to time.
What is Windows LAPS?
Windows Local Administrator Password Solution(Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory – joined or Windows Server Active Directory – joined devices.
Microsoft Intune support for Windows LAPS
You can use Microsoft Intune endpoint security policies for account protection to manage LAPS on devices that have enrolled with Intune. Intune policies can:
- Enforce password requirements for local admin accounts
- Back up a local admin account from devices to your Active Directory (AD) or Azure AD
- Schedule rotation of those account passwords to help keep them safe.
You can also view details about the managed local admin accounts in the Intune Admin center, and manually rotate their account passwords outside of a scheduled rotation. Use of Intune LAPS policies helps you protect Windows devices from attacks that are aimed at exploiting local user accounts like pass-the-hash or lateral-traversal attacks. Managing LAPS with Intune can also help improve security for remote help desk scenarios and recover devices that are otherwise inaccessible.
Windows LAPS capabilities
- Set password requirements – Define password requirements including complexity and length for the local administrator account on a device.
- Rotate passwords – With policy you can have devices automatically rotate the local admin account passwords on a schedule. You can also use the Intune admin center to manually rotate the password for a device as a device action.
- Backup accounts and passwords – You can choose to have devices back up their account and password in either Azure Active Directory (Azure AD) in the cloud, or your on-premises Active Directory. Passwords are stored using strong encryption.
- Configure post authenticating actions – Define actions that a device takes when its local admin account password expires. Actions range from resetting the managed account to use a new secure password, logging off the account, or doing both and then powering down the device. You can also manage how long the device waits after the password expires before taking these actions.
- View account details – Intune administrators with sufficient role-based administrative control (RBAC) permissions can view information about a devices local admin account and its current password. You can also see when that password was last rotated (reset) and when it’s next scheduled to rotate.
- View reports – Intune provides reports on password rotation including details about past manual and scheduled password rotation.
Overview of LAPS Setup
- Enable LAPS in your Azure Tenant
- Setup Local Admin accounts on your endpoints using Intune
- Create a LAPS Configuration Policy in Intune
- Deploy/Assign the policy to your endpoints
Enable Azure AD LAPS
Start by making sure that LAPS is turned on in your Azure Tenant. Login to the Azure portal, then navigate to Azure AD -> Devices -> Device Settings: Enable the above setting.
Create a new local administrator account
Login to the Intune Admin Center Navigate to Devices -> Configuration Profiles Click on Create profile, and enter below information and click Create Give the policy a suitable name and description and click Next Click on Add to add custom OMA-URI Settings In our example below, the highlighted part of the OMA-URI will be the name of the local user, so choose your preference, in this example, we chose “localadmin” as the username. OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/localadmin/Password If you copy and paste this type of strings from web pages or such, I recommend to paste into Notepad first to clear any font issues that otherwise might occur. Add another Settings row to add the account to the local administrators group OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/localadmin/LocalUserGroup Click Next Deploy it to your desired Device Groups, in our example a test group Click Next, add Applicability rules if you need to, then click Next Review that your settings are ok, then click Create. You will likely find that you will get an error on this configuration setting, seems to be a known issue, but the account will actually be created even so.
Create a LAPS Configuration Policy in Intune
In the Intune console, navigate to Endpoint Security -> Account Protection Click on Create Policy Give the policy a suitable name and click Next
Use this setting to configure which directory the local admin account password is backed up to. The allowable settings are: 0=Disabled (password will not be backed up) 1=Backup the password to Azure AD only 2=Backup the password to Active Directory only. If not specified, this setting will default to 0. We will be backing up to Azure AD/Entra ID, so we make that selection (1).
Password Age Days:
Use this policy to configure the maximum password age of the managed local administrator account. If not specified, this setting will default to 30 days This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD. This setting has a maximum allowed value of 365 days. In our example we will use the minimum for Azure AD, 7 days.
Administrator Account Name:
Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). If specified, the specified account’s password will be managed. Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created. Since we created an account earlier in this guide, we will use that account name.
Use this setting to configure password complexity of the managed local administrator account. The allowable settings are: 1=Large letters 2=Large letters + small letters 3=Large letters + small letters + numbers 4=Large letters + small letters + numbers + special characters If not specified, this setting will default to 4. If possible, we suggest to choose option 4, since that is the most secure option, and for this example we will do so.
Use this setting to configure the length of the password of the managed local administrator account. If not specified, this setting will default to 14 characters. This setting has a minimum allowed value of 8 characters. This setting has a maximum allowed value of 64 characters. Follow your own security standards here of course, but for this example we will select the default, 14 characters.
Post Authentication Actions:
Use this setting to specify the actions to take upon expiration of the configured grace period. If not specified, this setting will default to 3 (Reset the password and logoff the managed account). Please do check the available choices here and test them thoroughly to avoid issues. In our example we will use Reset the password and logoff the managed account.
Post Authentication Reset Delay:
Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If not specified, this setting will default to 24 hours. This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). This setting has a maximum allowed value of 24 hours. We advice that you set your own security standard for this. In our example we will go with the default, 24 hours. When you have made your selections, click Next Enter Scope tags if you want to, then click Next Include the groups you need, in our example we use a test Device Group. Click Next Make sure your choices are correct, then click Create.
Validating your Windows LAPS Settings on an Endpoint
Check this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\LAPS As you can see from the screenshot above, the settings are as expected.
Windows LAPS Operation
Windows LAPS uses a background task that wakes up every hour to process the currently active policy. This task isn’t implemented by using Windows Task Scheduler. This task will check if the password is expired etc. You can manually start the policy processing cycle, for example through powershell: Run the Invoke-LapsPolicyProcessing cmdlet. To verify that the password was successfully updated in Azure Active Directory, look in the event log for the 10029 event:
Azure Active Directory Passwords
When you back up passwords to Azure Active Directory, managed local account passwords are stored on the Azure Active Directory device object. Windows LAPS authenticates to Azure Active Directory by using the device identity of the managed device. Data that’s stored in Azure Active Directory is highly secure, but for extra protection, the password is further encrypted before it’s persisted. This extra encryption layer is removed before the password is returned to authorized clients.
Retrieve Azure Active Directory LAPS Passwords
By default, only members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles can retrieve the clear-text password. Retrieving Windows LAPS passwords stored in Azure Active Directory is supported by using Microsoft Graph. Windows LAPS includes a PowerShell cmdlet (Get-LapsAADPassword) that’s a wrapper around the Microsoft Graph PowerShell library. You may also use the Azure AD and\or Intune management portals for a UI-based password retrieval experience. Windows LAPS doesn’t provide any user interface options within Windows for Azure Active Directory password retrieval.
Retrieve the password from Intune:
Log in to the Intune portal Navigate to Devices -> All Devices Select the device you want to get the LAPS password from On the left-hand side, click on the Local admin password heading Click on Show local administrator password Click on Show
Retrieve the Password from Azure AD:
Login to the Azure portal Navigate to Devices -> All devices Select the device that you want to retrieve the LAPS password from Click on Local administrator password recovery (Preview) Click on Show local administrator password Click on Show
Retrieve the password using Powershell:
Create an Azure Active Directory registered app to retrieve Windows LAPS passwords
If you haven’t created an AAD Registered App before, check this link: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app Follow these steps to create the app registration: Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to select the tenant containing your client app’s registration. Navigate to Identity > Applications > App registrations and select New registration. Enter a Display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration’s automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform. Specify who can use the application, sometimes called its sign-in audience. Don’t enter anything for Redirect URI (optional). You’ll configure a redirect URI in the next section. Select Register to complete the initial app registration. Once the app is registered, the Overview page of the app opens Click on App roles Click on Create app roles, and add the needed roles The app needs to be configured with two permissions: Device.Read.All and either Device.LocalCredential.Read or Device.LocalCredential.ReadAll. DeviceManagementManagedDevices.Read.All may also be required in order to query passwords for Microsoft Managed Desktop devices. Once you have added the permissions to the app you need to Grant admin consent to use them in your tenant:
Add Redirect URIs
If you intend to run the powershell script from your client devices, you need to add this Redirect URI: http://localhost:50294 We also added https://login.microsoftonline.com/common/oauth2/nativeclient, not 100% certain if that is needed for this Note: As always when working with Entra ID Applications, secure them by adding either a client secret (less secure) or a certificate (more secure), in this example we have not done so. Start by setting PSGallery as a trusted repository: Set-PSRepository PSGallery -InstallationPolicy Trusted Install the Microsoft Graph PowerShell library: Install-Module Microsoft.Graph -Scope AllUsers -Force $TenantID = “put your tenant id here” $AppID = “put the id of the LAPS App here” $DeviceID = “Name of the client device you want to retrieve the password from” Connect-MgGraph -Environment Global -TenantId $TenantID -ClientId $AppID Get-LapsAADPassword -DeviceIds $DeviceID Result will look similar to this: To grab the password, you need to run this command: Get-LapsAADPassword -DeviceIds $DeviceID -IncludePasswords To show the password as plain text, run this command: Get-LapsAADPassword -DeviceIds $DeviceID -IncludePasswords -AsPlainText
Password reset after authentication
Windows LAPS supports automatically rotating the local administrator account password if it detects that the local administrator account was used for authentication. This feature is intended to bound the amount of time that the clear-text password is usable. You can configure a grace period to give a user time to complete their intended actions.
Manually Force a LAPS password rotation
To manually request a password rotation, do the following. From the Intune portal, navigate to Devices -> Windows, then select the device you want to rotate the password for. Click on Rotate local admin password Restart the client for the password to rotate This will take some time before it is rotated, so grab a coffee if you are testing this feature. Done
Blog post written by Jens Lagnekvist.
<Mandatory legal text>
This information is provided as is without warranties, confers no rights and isn’t supported by the writer(s), or Brickstone IT.
</Mandatory legal text>