News

Windows LAPS Bolstered with Entra ID and Intune Support

Organizations can set local administrator password policies for Windows devices, including role-based access controls.

• By Kurt Mackie
• 10/23/2023

Microsoft has updated its Windows Local Administrator Password (LAPS) solution by adding support for Microsoft Entra ID (formerly "Azure Active Directory") and Microsoft Intune.

The Entra ID and Intune support for Windows LAPS reached the "general availability" commercial-released stage, per Microsoft's Monday announcement. Windows LAPS is used to secure local administrator passwords and replaces an older tool with the same LAPS name, which Microsoft now refers to as "legacy LAPS." The new Windows LAPS just works with Windows 10 and Windows 11 clients, plus Windows Server 2019 and Windows Server 2022.

Organizations can use Windows LAPS when they have Microsoft Entra ID-joined devices or "hybrid"-joined devices (Entra ID plus local Active Directory).

Microsoft began rolling out Windows LAPS on April 11, 2023, as part of its "update Tuesday" monthly patch release. The feature doesn't need to be installed as it's part of Windows, although administrators need to activate it through policy.

Back in April, some Windows LAPS capabilities were lagging, such as the Entra ID and Intune features. Now those capabilities are deemed to be generally available, or ready for production-environment use.

The main idea behind Windows LAPS is to thwart "pass-the-hash" and "lateral-transversal" attacks. It has other benefits, such as added security for remote help-desk operations using Intune. It's also easier to recover devices. Windows LAPS offers password encryption and access control list options via Entra ID. It also has password backup, retrieval and rotation capabilities. Newly added are audit logs and the ability to create Entra ID role-based access control policies.

Organizations using Entra ID need to enable Windows LAPS at the tenancy level. Windows LAPS policy management happens using Intune or policy can be deployed "manually" using the Registry or "Local Computer Group Policy," Microsoft explained in this document. For hybrid-joined devices, policies can be deployed using "Windows LAPS Group Policy."

Intune users can use Windows LAPS to specify password requirements (such as password length or complexity) for local administrator accounts on a device. They can also set up a password rotation schedule for a device. Intune can also be used to specify where password backups are stored. It also has a reporting capability that will show password rotation histories for devices. Windows LAPS capabilities for Intune are listed in this document.

Microsoft's future plans for Windows LAPS include adding "automatic local administrator account creation" when devices are "configured for Windows LAPS." Also planned are Entra ID notifications when local administrator passwords get used. Also to come are just-in-time controls over the use of self-service local administrator password recoveries by device owners.

A walkthrough on setting up Windows LAPS can be found in this video by Microsoft Most Valuable Professional Andy Jones.