top of page
Search

Enhancing Security: A Step-by-Step Guide to Enabling LAPs in Microsoft 365

  • Writer: Jack Davies
    Jack Davies
  • Jul 12
  • 11 min read

Updated: Jul 13

This article provides step-by-step instructions for implementing Microsoft's Local Administrator Password Solution (LAPS) with Intune. Learn how to configure and manage local administrator passwords across your Windows devices to significantly enhance your organization's security posture.


What is Local Administrator Password Solution (LAPs)?


LAPS (Local Administrator Password Solution) is a Microsoft utility that mitigates the security risks associated with shared local administrator account credentials. It functions by programmatically generating unique passwords for each managed Windows device and storing these credentials as attributes on the corresponding computer object in Active Directory (on-premises or cloud-based).


The solution includes automated password rotation to enforce password age policies. Integrating Windows LAPS with Microsoft Intune provides a centralized policy management plane, streamlining the configuration and deployment of LAPS across an entire device fleet and reducing the risk of unauthorized access.


What are the benefits of using LAPs?


Integrating Windows LAPS with Microsoft Intune offers significant advantages for modern endpoint management. This combination provides a powerful, cloud-native solution for securing local administrator accounts across your Windows devices.


Key Advantages:


  • Enhanced Security: Eradicates the risk of lateral movement attacks that exploit shared local admin passwords by automatically generating unique, complex passwords for every device.

  • Centralized, Cloud-Native Management: Leverage Intune to configure, deploy, and monitor LAPS policies from a single console, covering both Microsoft Entra ID joined and hybrid devices.

  • Operational Efficiency: Automates the entire lifecycle of password management, from creation to rotation, freeing up IT resources from the manual, time-consuming task of changing passwords.

  • Built-in and Simplified: The LAPS client is now integrated into modern Windows operating systems, eliminating the need for a separate agent deployment and simplifying the setup process.

  • Auditability and Compliance: Provides a clear audit trail of when passwords were retrieved and by whom, helping you meet security compliance and reporting requirements with ease.

  • Password Encryption and Security: Passwords stored in Microsoft Entra ID are encrypted, adding a robust layer of security to protect these sensitive credentials in the cloud.

  • Just-in-Time (JIT) Access: The LAPS password can be retrieved by authorized personnel on-demand, enabling "just-in-time" administrative access to a device only when it's needed, which is a significant security improvement over having a known, persistent password.


This integration is a critical step in modernizing your security posture. Let’s explore how to configure it.


Step 1 - Enable LAPs in Microsoft Entra


  1. Sign into Entra as an account with either Global Administrator or Cloud Device Administrator rights.

  2. Next, go to Entra ID > Devices > Device Settings

  3. Interface showing "Device settings" in Microsoft Entra ID portal. The "Devices" tab is highlighted, with a navigation menu on the left.

    Scroll down and check 'Enable Microsoft Entra Local Administrator Password Solution (LAPS)

    Toggle button for enabling Microsoft Entra Local Administrator Password Solution (LAPS), with "Yes" selected in purple.

Step 2 - Enable the Local Administrator account


By default, the built-in local administrator account is disabled on new Windows installations to enhance security, as it can bypass User Account Control (UAC) prompts.


For an Intune LAPS policy to manage this account, the account must first be enabled. If it remains disabled, the LAPS policy will not apply. While this can be done manually or with Group Policy, using an Intune configuration profile is the most efficient method for enabling the account across all your managed devices.


Sign into Intune and go to Endpoint Security > Account Protection > Create Policy

Microsoft Intune admin center screen showing Endpoint Security > Account Protection. "Create Policy" button is highlighted in red.

Now choose the platform 'Windows' and choose the Profile 'Local admin password solution (Windows LAPS)'


Create a profile window for Windows LAPS, showing platform and profile dropdowns. Text explains features, applicability to Windows 10+.

You now need to enter the following details in the 'Basics' tab:


  • Name - Provide a descriptive name for the profile so you can identify it later, such as 'Windows LAPS Policy'

  • Description - Enter a brief summary of the policy's function. For example: 'Policy to manage and back up the local admin password for managed Windows devices.'


Create Policy screen showing fields for Name and Description in a Windows security setting. Name: Windows LAPS Policy.

Step 3 - Configuring the settings for LAPS


Next, proceed to Configuration settings to define the policy. There is a simplified version below.


The Configuration Settings tab is where you'll make the most important decisions for your LAPS policy. While you can adjust them later, getting them right from the start is key.


The first setting to configure is the Backup Directory. This specifies the secure location where you want to store the generated local administrator password. You can also choose not to back it up at all, though this is generally not recommended.


You have the following choices:

  • Azure AD only: Stores the password in the cloud. This is the standard choice for devices joined directly to Microsoft Entra.

  • Active Directory only: Stores the password on your on-premises domain controllers. Use this for devices joined only to a local Active Directory.

  • Disabled: Prevents the password from being backed up anywhere.

  • Not Configured: Leaves this setting untouched on the endpoint.


In this example, we will proceed by selecting Azure AD Only as our backup destination.

Toggle switch and dropdown menu in a settings interface. Dropdown reads "Backup the password to Azure AD only" and toggle is blue, showing "Configured."

Next, you'll decide how often the local administrator password should be changed by configuring the Password Age (Days). This setting determines the password's maximum lifetime before LAPS automatically generates a new one, which is a key part of keeping the account secure.


You can set this to any value between 1 and 365 days. However, be aware of the minimum requirements:


  • If you are backing up to Microsoft Entra ID, the minimum age is 7 days.

  • If you are backing up to Active Directory, the minimum age is 1 day.


If you don't specify a value, Intune will default to rotating the password every 30 days. For our policy, we'll stick with this recommended default and set the password age to 30.

Backup settings interface showing "Backup the password to Azure AD only" selected, blue toggle on for "Configured," and "Password Age Days: 30."

Now it's time to tell LAPS which account to manage using the Administrator Account Name setting.


This is simpler than it sounds. If you want LAPS to manage the standard, built-in local administrator account, you can just leave this field blank. LAPS is smart enough to automatically find the correct account using its well-known SID (Security Identifier), even if that account has been previously renamed.


While some organizations choose to rename the default "Administrator" account as a security measure, it's not required for LAPS to work. Only enter a name here if you have a specific business reason or if you have created a different custom administrator account that you want this policy to manage instead of the built-in one.


For most situations, leaving this blank is the best and easiest approach. In this guide, I am going to name the Administrator account 'jackdjd-admin'


Toggle switch set to "Configured" for an Administrator Account. Name field contains "jackdjd-admin." Simple, white background.

With the account selected, you can now decide how strong its password will be. The Password Complexity setting lets you choose the combination of characters that LAPS will use when generating a new password.


You have several levels of complexity to choose from:

  • Large letters

  • Large letters + small letters

  • Large letters + small letters + numbers

  • Large letters + small letters + numbers + special characters

  • Large letters + small letters + numbers + special characters (improved readability)


The "improved readability" option is often the best choice for security and convenience. It uses the highest complexity but excludes characters that are easily confused (like the number 0 and the letter O, or 1 and l), which helps prevent typos when a password needs to be manually entered.


To ensure our passwords are both strong and user-friendly, we will select Large letters + small letters + numbers + special characters (improved readability).


Dropdown menu for "Password Complexity" showing options for different character requirements. Text: Large letters, small letters, numbers, special characters.

Next, let's determine how long the password will be. The Password Length setting works together with complexity to create a truly secure password—the longer it is, the harder it is to crack.


You can choose a length anywhere between 8 and 64 characters. If you don't make a choice, Intune defaults to 14 characters, which is widely considered a strong starting point for administrative accounts. It provides an excellent balance of security against modern attacks without being excessively long.


We'll stick with this secure default for our policy. Let's set the password length to 14.


Blue slider toggled on, text "Configured" in grey, password length set to 14, on a white background.

Next, a powerful feature of Windows LAPS is its ability to automatically reset the password after it has been used. The Post Authentication Actions setting determines exactly what happens after an administrator retrieves and uses a password and a grace period expires. This ensures the account is immediately secured again.


Here, you can choose the level of security to enforce after the account is used:


  • Reset password: Generates a new password behind the scenes but keeps the administrator logged in.

  • Reset the password and logoff the managed account: This is the default. It generates a new password and immediately ends the administrator's session, which is highly secure.

  • Reset the password and reboot: Generates a new password and then reboots the machine, which can be useful after certain maintenance tasks like software installations.

  • Not configured: The policy will not define a post-authentication action.


While logging off the account is the most secure default, your organization might have reasons to keep the session active. For this guide, we will configure the policy to simply Reset password.


Text box with instructions on password reset after grace period expiry in post authentication settings.

This next setting, Post Authentication Reset Delay, works hand-in-hand with the action you just selected. It defines the "grace period"—the amount of time in hours that an administrator has to work on the machine before the post-authentication action (like resetting the password) is triggered.


You can set this delay anywhere from 0 to 24 hours. Setting it to 0 would disable the post-authentication action feature entirely.


The default value is 24 hours, which gives an administrator a full day to complete their tasks before the system automatically secures the account again. This is a practical and common choice.


We will use this default to give our admins ample time, so let's set the delay to 24 hours.


Settings panel showing "Post Authentication Reset" with toggled switch and delay set to 24. Blue accent colors.

Simplified Guide for my specific 'Configuration Settings'

Interface displaying LAPS settings. Options like Backup Directory, Password Complexity, and Automatic Account Management are labeled "Not configured."

On the Configuration settings page, apply the following settings, feel free to change these to your needs.


  1. Backup Directory: Set this to Azure AD only. This stores the LAPS password securely in the cloud.

  2. Password Age (Days): Set this to 30. The password will automatically be changed every 30 days.

  3. Administrator Account Name: Enter 'Admin account Username'. LAPS will create and manage this specific local administrator account on the devices.

  4. Password Complexity: Choose Large letters + small letters + numbers + special characters (improved readability). This creates a very strong password that is easier to read and type if needed.

  5. Password Length: Set this to 14. This provides a strong, modern password length that is difficult to crack.

  6. Post Authentication Actions: Select Reset password. After the password is used, it will be automatically changed.

  7. Post Authentication Reset Delay (Hours): Set this to 24. This gives an administrator a 24-hour grace period to complete their work before the password is automatically reset.

Settings page for LAPS; fields include Backup Directory, Password Age Days, Admin Account Name, Password Complexity, Length, and Reset Actions.

Once all settings are configured, you can proceed to the next step in the Intune policy creation wizard.


Step 4 - Assign the LAPS policies to Windows Devices


Now that the policy is configured, the next step is to assign it.


Before assigning, on the Scope Tags page, add any scope tags if you use them to control policy administration within your IT team. Click Next to proceed to assignments.


Create Policy screen showing "Scope tags" tab in Endpoint security. A search bar for tags is visible. One scope tag selected: Default.

Following best practices, you should always deploy new policies to a small set of test devices first. On the Assignments page, add a pilot security group. After you confirm the policy works as expected, you can then edit the assignment to include your broader production device groups.


In this example, I am assigning this to my 'Corporate' group for corporate devices.


Create Policy page showing "Assignments" tab. Group "JDJ-CORP-WIN", 0 devices, 5 users listed. Options include target type and filters.

You've reached the final step. The Review + Create page provides a summary of all the settings you have configured for the LAPS policy.


  1. Carefully review the configuration to ensure everything is correct.

  2. Select Create to finalize and deploy the policy.


After a moment, a notification will confirm that the "Windows LAPS policy created successfully." You can now find your new policy in the list of configuration profiles, and Intune will begin applying it to your targeted devices.


Security policy setup screen showing steps: Basics, Configuration, Scope tags, Assignments, Review. Settings: 7 settings, 1 scope tag, 1 group.

Step 5 - Initiating an Intune Policy Sync


After assigning the policy, it will apply to your targeted devices the next time they check in with the Intune service. Devices must be online to receive the policy.

To expedite this process for a specific device, you can trigger a manual sync from the Intune admin center:


  1. Navigate to Devices > Windows.

  2. Select the desired device from the list.

  3. Click the Sync button in the top action bar and confirm by clicking Yes.

Device management interface showing options like Retire, Wipe, Delete, and Sync. Device name is JDJD-LAP-032, primary user is Jacob Peralta.
Sync device in Intune

This will immediately request the device to check in for the new LAPS policy.


Step 6 - Validating the LAPS policy deployment


After a device has synced with Intune, you can use the following methods to confirm that the LAPS policy settings have been correctly applied.


Windows Event Viewer:

While you might be used to checking the standard Intune MDM event logs for policy updates, Windows LAPS has its own dedicated channel in the Event Viewer. This means you won't find the relevant information under the usual Event IDs 813 or 814.


To see the LAPS-specific events, first launch the Event Viewer on the device (you can run eventvwr.msc). From there, browse to the location below to review the logs.

Application and Services Logs: Microsoft-Windows-LAPS/Operational

The Operational log shows all LAPS activity. To see the exact policy settings that were applied by Intune, filter this log for Event ID 10022. This event provides a clear summary of the deployed configuration on the device.


Screenshot of LAPS policy configuration showing policy source, backup directory, and settings like password age and complexity.

Windows Registry:

You can also confirm the LAPS settings directly on the device by checking the Windows Registry.


First, open the Registry Editor (regedit.exe) and be careful not to change any values. Navigate to the LAPS policy path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\LAPS

Inside this key, you'll see a list of values that mirror the settings you configured in Intune. The policy settings are stored as numerical values. As shown in the screenshot, the values should match our configuration:

  • PasswordAgeDays is set to 30

  • PasswordLength is 14.

  • BackupDirectory value of 1 corresponds to "Microsoft Entra ID,"

  • PasswordComplexity of 5 corresponds to the most complex password option we chose.

Registry Editor window showing LAPS settings under Microsoft Policies. Entries include AdministratorAccount and various password settings.


How to view the Local Administrator Password


This section outlines the three primary methods for retrieving a LAPS-managed local administrator password.


Prerequisites: To view a LAPS password, you must be assigned one of the following roles:

  • Global Administrator

  • Cloud Device Administrator

  • Intune Administrator


You can retrieve the password using the below:

  • The Microsoft Intune admin center

  • The Microsoft Entra admin center

  • Microsoft Graph PowerShell


Retrieving the password via Microsoft Intune:

  • Sign in to the Microsoft Intune admin center.

  • Navigate to Devices > Windows.

  • Select the device whose password you need to view.

  • On the device's overview page, click Local admin password.

  • A new pane will open. Click Show local administrator password to retrieve and display the current password. Be aware this action is audited.

Computer interface shows "Local admin password" settings. A red box highlights "Show local administrator password" option.

Retrieving the password via Microsoft Entra:

  • Sign in to the Microsoft Entra admin center.

  • Navigate to Identity > Devices > All devices.

  • In the left navigation, under "Help and support", select Local administrator password recovery.

  • Use the search bar to find the device you need to access.

  • In the search results, click Show local administrator password next to the device name.

  • A new pane will appear. You can now either:

    • Click the Copy icon to copy the password to your clipboard without viewing it.

    • Click Show to reveal the password in plain text, then copy it.


Device management screen showing local administrator password recovery. "Show local administrator password" is highlighted in blue.

Retrieving the password via Microsoft Graph through PowerShell:

For automation and scripting, you can retrieve LAPS passwords using the Get-LapsAADPassword PowerShell cmdlet.


Prerequisites:

  • You must be granted the DeviceLocalCredential.Read.All Microsoft Graph permission.

  • You need to install the Microsoft.Graph PowerShell module.


First, connect to Microsoft Graph with the required permissions. Then, find the device's Object ID and use it to retrieve the password.


Save the PowerShell Script:

  1. Copy the entire code from the script document.

  2. Paste it into a text editor like Notepad or Visual Studio Code.

  3. Save the file with a .ps1 extension. For example, save it as Retrieve-LAPS-Password.ps1 in a folder you can easily access, like C:\Scripts.


Authenticate to Microsoft Graph:

This is the most critical step. You must sign in to Azure to grant the script permission to read the LAPS password.


  1. In your PowerShell window, run the following command:


  1. A Microsoft sign-in window will pop up. Log in with your administrator account.

  2. The first time you run this, you may be asked to consent to the permissions the script needs. Review them and click Accept.

  3. You only need to do this once per PowerShell session.


Run the Script:

Now you are ready to retrieve the password.


  1. In the same PowerShell window, navigate to the directory where you saved your script. For example:


  1. Execute the script, providing the name of the target device with the -DeviceName parameter:


(Replace "YOUR-DEVICE-NAME" with the actual name of the computer)


View the Output:


On Success: If the script runs correctly, it will print the password directly to the console:


If No Password is Found: You will see a warning message:


If an Error Occurs: The script will display a red error message detailing the problem. The most common error is forgetting to run Connect-MgGraph first.


Conclusion


By completing the steps in this guide, you have successfully deployed Windows LAPS and configured its policies using Microsoft Intune. This automated solution is a cornerstone of modern endpoint security, eliminating the risks associated with static, shared local administrator passwords. You have enhanced your organization's security posture by making lateral movement attacks significantly more difficult for adversaries.


Moving forward, ensure your IT and helpdesk teams are familiar with the process for retrieving passwords and that you monitor the audit logs for retrieval events. After successful validation with your pilot group, expanding the policy to all managed Windows devices will ensure your entire environment is protected. Implementing LAPS with Intune is a powerful step toward a more secure and efficiently managed Windows fleet.

bottom of page