Local admin passwords have long been the bane of an administrator’s life. Either every single device has the same local admin password (which is terribly insecure). Or every single device has a different password, or a mish mosh of devices have the same password so it’s all kept on a sticky note in your desk drawer (which is also terribly insecure). Bad guys love to exploit local user accounts with methods like pass-the-hash or lateral-traversal attacks. LAPS was designed to help you protect your devices from these kinds of attacks.

The Windows Local Administrator Password Solution (LAPS) was introduced many years ago to help with this issue. At the time it was described as “an elegant and lightweight mechanism for Active Directory domain-joined systems that periodically sets each computer’s admin account password to a new random and unique value”.  The solution stored passwords in a secured confidential attribute on the corresponding computer object in Active Directory and only specifically authorized users could retrieve it.

LAPS was managed via Group Policy which was a great improvement over the above mentioned “sticky note method”. But Microsoft has recently made it even easier to deploy and manage LAPS if you use Intune.  Intune can be configured to:

• Rotate the account passwords on a defined schedule

• Enforce password requirements for the local admin accounts

• Back up the local admin accounts from devices to your Active Directory (AD) or Azure AD

To take advantage of LAPS with Intune, you’ll need to be running at least Windows 10 22H2 or higher. Intune LAPS policy can be used to manage any local administrator account on a device. However, LAPS supports only one account per device. Also good to know, is that the Intune policy will override a policy deployed by GPO. Managing LAPS with Intune can also help improve security for remote help desk scenarios and recover devices that are otherwise inaccessible.

To deploy the LAPS policy, sign into Intune and go to Endpoint security > Account protection, and then select Create Policy. Give it a name and then select what configuration settings you think work best in your environment. Assign it to the users or devices you like and you’ve now deployed LAPS.

If you need to get the password to log onto a device, simply find the device in Intune and click on Local admin password. Select Show local administrator password and you’ll be able to retrieve the current admin password.

For more information about LAPS, check out the link here.