Controlling local admin with LAPS and Intune

Intune, Microsoft 365 1 Minute

I recently suggested that Compliance policies were the place to start with Intune device management.

Start with Intune policies

From there, I would suggest that configuring the Local Administrator Password (LAPS) policy is a good follow on option. This will automatically rotate the password for the Windows local device administrator accounts.

image

In the Intune console select Endpoint Security and then Account protection. Create a new policy for Windows 10 and later and select Local admin password solution (Windows LAPS) as shown above.

Give the policy a meaning name and description.

image

Make the appropriate settings as shown above. You want to ensure that the Backup directory is set to Backup the password to Azure AD only.

Assign the policy and save it.

image

Once the policy has been assigned to the device a random password, to specifications set in the policy will be applied and a copy will be saved into the device details in the location shown above within Intune

In general it is best practice to have no other local admin accounts on devices except the default one provided by Windows that cannot be removed. Per the FAQs, LAPS supports only one account on a device. You can specify that account but it is best practice to not specify a name on the policy configuration and allow Intune to manage the default built-in administrator account.

image

Once the LAPS policy has been applied you will see the following for the Windows devices as shown above.

image

Selecting the Show local administrator password hyperlink will display a blade with the above information. Selecting the Show button here will display the current password and allow you to take a copy.

Best practice is to take control of the default local admin account using the LAPS policy deployed via Intune as shown. The next step would then to be to eliminate any other local admin account from the devices so the only ne left is the default which has its password rotated regularly thanks to LAPS.

Further information on LAPS with Intune can be found here:

Microsoft Intune support for Windows LAPS


Published by directorcia

Published