Skip to content

Configuring Windows LAPS using Microsoft Intune

Introduction

Windows Local Administrator Password Solution maintains and backs up the password of a local administrator account on Azure Active Directory-integrated or Windows Server Active Directory-integrated devices. Currently, Windows LAPS is in private preview and is available only in Windows 11 Insider Preview Build 25145 and later. All customers will be able to analyse this AAD scenario once public preview is proclaimed in 2023.

Once we have Windows LAPS enabled, the device begins to managed hte cofigured local account password and will generates a new, random passowd compiant to the policy lenght and complexity requiremnet.

Benefits of Using Windows LAPS

  1. Protection from pass-the-hash and lateral-transversal attacks
  2. Security enhancements for remote help desk scenarios.
  3. Capability to sign in to and restore otherwise inaccessible devices.
  4. A fine-grained security model for protecting Windows Server Active Directory-stored passwords.
  5. Support for the Azure role-based access control architecture for securing Azure Active Directory-stored passwords

Setting up Windows LAPS policy

You have multple options available for  Windows LAPS deployment.

  1. Legacy Microsoft LAPS
  2. Windows LAPS Group Polocy
  3. Windows LAPS Configuration Service Provider

Cofiguration Option for Windows LAPS

  1. Use Endpoint Manager for
    • Active Directory Joined Devices.
    • Hybrid Azure AD joined devices that are enrolled to Microsoft Intune.
  2. Group Policies for Windows Server Active Directory joined devices.
  3. If your devices are Azure Active Directory-joined but you’re not using Microsoft Intune, you can still deploy Windows LAPS for Azure Active Directory. In this scenario, you must deploy policy manually either by using direct registry modification or by using Local Computer Group Policy.

Windows LAPS policy processing cycle

Instead of using Windows Task Schedular,  Windows LAPS uses a background task that wakes up every hour to process the currently active policy.

Configuring Windows LAPS

Windows LAPS includes a new Group Policy Object that you can use to administer policy settings on Active Directory domain-joined devices. To access the Windows LAPS Group Policy, in Group Policy Management Editor, go to Computer Configuration > Administrative Templates > System > LAPS

If you have connected your endpoint with Azure AD / Hybrid Azure AD you can configure Windows LAPS using Microsoft Intune.  Organization can use The Local Administrator Password Solution (LAPS) configuration service provider (CSP)  to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.

./Device/Vendor/MSFT
LAPS
—-Policies
——–BackupDirectory
——–PasswordAgeDays
——–PasswordLength
——–PasswordComplexity
——–PasswordExpirationProtectionEnabled
——–AdministratorAccountName
——–ADPasswordEncryptionEnabled
——–ADPasswordEncryptionPrincipal
——–ADEncryptedPasswordHistorySize
——–PostAuthenticationResetDelay
——–PostAuthenticationActions
—-Actions
——–ResetPassword
——–ResetPasswordStatus

Hope this will be informative for you, please do share if you find worth sharing it.