Overview

Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices.

You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.

Benefits of using Windows LAPS

Use Windows LAPS to regularly rotate and manage local administrator account passwords and get these benefits:

  • Protection against pass-the-hash and lateral-traversal attacks
  • Improved security for remote help desk scenarios
  • Ability to sign in to and recover devices that are otherwise inaccessible
  • A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory
  • Support for the Entra role-based access control model for securing passwords that are stored in Microsoft Entra ID

Two versions of LAPS:

Legacy LAPS:

  • This is the older version of LAPS.
  • Free, and no additional licenses or subscriptions are required.
  • It doesn’t support encrypted password. The password will be stored (embedded) on the machines Object in clear/plain text on the AD. By Default only member of Domain Admins can see the password.
  • The installation requires extending the AD schema to add two addtional object properties on the AD.
  • It requires to install the LAPS agent to the endpoint machines via GPO.

This is the article how to deploy Microsoft LAPS Legacy

LAPS with Microsoft EntraID:

  • This is the newer version of LAPS.
  • Available since october 2023.
  • Provide more features than LAPS legacy.
  • Requires Azure/Entra AD sync.
  • Support encryption password.
  • Can store the password history.
  • Supports backing up passwords to Microsoft Entra ID and retrieving them using Microsoft Graph.
  • It doesn’t require the installation of the legacy Microsoft LAPS on a domain controller or another management client to extend your Windows Server Active Directory schema with the legacy Microsoft LAPS schema elements.
  • It doesn’t require to install the legacy Microsoft LAPS Group Policy definition files, and legacy LAPS agent on the endpoints.

Supported Devices

  • Windows 11 22H2
  • Windows 11 21H2
  • Windows 10 20H2, 21H2 and 22H2
  • Windows Server 2022
  • Windows Server 2019

Requirement

  • Microsoft Entra free.
  • Intune Subscription.

Configuration Steps:

Enabling the LAPS features on Entra

  • Login to Entra Admin Portal
  • Go to Identity > Devices > Overview > Device settings
  • Find Enable Microsoft Entra Local Administrator Password (LAPS) and select Yes (to Enable this LAPS feature).
  • Once done, click Save

Create Policy to Intune to enable LAPS in endpoints.

  • Login to Intune Admin Center
  • Browse to Endpoint security > Account protection, and then select Create Policy Image alt
  • Set as the following:
    • Platform: Windows 10 and later,
    • Profile: Local admin password solution (Windows LAPS)
    • Create.
  • On Basics, enter the following properties:
    • Name: Enter a descriptive name for the profile. Name profiles so you can easily identify them later
    • Description: Enter a description for the profile. This setting is optional but recommended
  • On Configuration Settting:
    • Define the Backup Directory Image alt

When configuring a policy, keep in mind that the backup directory type in the policy must be supported by the join type of the device the policy is assigned to. For example, if you set the directory to Active Directory and the device isn’t domain joined (but a member of Microsoft Entra), the device can apply the policy settings from Intune without error, but LAPS on the device will not be able to successfully use that configuration to back up the account.

  • On the Scope tags page, select any desired scope tags to apply, then select Next.

  • For Assignments, select the groups to receive this policy. We recommend assigning LAPS policy to device groups. Policies assigned to user groups follow a user from device to device. When the user of a device changes, a new policy might apply to the device and introduce inconsistent behavior, including which account the device backs up or when the managed accounts password is next rotated.