In this quick and easy guide, I show you how to configure LAPS (Local Administrator Password Solution) with Microsoft Intune. LAPS is a solution which secures the local administrator account on your devices by enforcing password requirements, backing up local admin accounts, and scheduling password rotations. 

Prerequisites

• Platform requirements: Windows 10 20H2 or Windows 11 21H2 with April 11, 2023 security updates installed.
• License requirements: Microsoft Intune plan 1 license is required.
• Device requirements: Hybrid or Azure AD joined devices and managed by Microsoft Intune.

While LAPS is in preview, the feature itself must be enabled through Azure Active Directory first.

• Navigate to the Microsoft Entra admin center > Devices > All devices > Device Settings > Enable LAPS > Save.

Enable Local Administrator account

Before beginning the configuration of the LAPS policy, ensure that you have a local administrator account enabled and/or created on your devices. If you wish to use the built-in administrator account, you can enable it by following these steps:

Create the Configuration profile by navigating to the Microsoft Intune admin center > Devices > Configuration profile > Create Policy > Windows 10 and later > Session catalog > + Create.

Locate the “Accounts Enable Administrator Account Status” configuration setting, enable it, and apply the policy to your devices. Alternatively, you can create and enable a custom local administrator account, which is more secure.

Configure LAPS Policy

Create the LAPS policy by navigating to the Microsoft Intune admin center > Endpoint security > Account Protection > Create Policy > Windows LAPS > + Create Policy.

The LAPS policy contains a range of settings and configurable options, including:

• Backup Directory: Choose whether to backup the password to Azure AD or the local Active Directory (not configured means no backup).
  
  • Password Age Days: configure the maximum age (not configured means 30 days)

•  Administrator Account Name (not configured will use the built-in local admin)
  
  • Configuring the account name alone will not create or enable an account. Please ensure that the account is already created and not disabled.

• Password Complexity (not configured is option 4)
  1. Large Letter
  2. Large Letter + small letters 
  3. Large Letter + small letters + numbers 
  4. Large Letter + small letters + numbers + special characters

• Password Length (not configured is 14 characters)
  
  • Configure a password length ranging between 8 and 64 characters.

• Post Authentication Actions: the option chosen will specify what will happen after a successful authentication (not configured is option 3).
  
  1. Reset password: upon expiry of the grace period, the managed account password will be reset.
  2. Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated.
  3. Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.

• Post Authentication Reset Delay: the delay specifies when the Post Authentication Action will activate (not configured is 24 hours).
  • The configured value must be between 0 and 24 

Take a look at the picture below for a simple example of my configuration.

In my opinion, Microsoft has done a great job of ensuring the default settings are secure. 

Admin Experience

Once the policy has been deployed, you can locate the local administrator password in the “Local admin password” section of the device page.

Once you have copied the password, you can use it to gain local administrative privileges on the device.

If necessary, you can manually rotate the local administrator password from the “overview” section of the device page.

Quick Guide: Configure LAPS with Microsoft Intune