I recently suggested that Compliance policies were the place to start with Intune device management.
From there, I would suggest that configuring the Local Administrator Password (LAPS) policy is a good follow on option. This will automatically rotate the password for the Windows local device administrator accounts.
In the Intune console select Endpoint Security and then Account protection. Create a new policy for Windows 10 and later and select Local admin password solution (Windows LAPS) as shown above.
Give the policy a meaning name and description.
Make the appropriate settings as shown above. You want to ensure that the Backup directory is set to Backup the password to Azure AD only.
Assign the policy and save it.
Once the policy has been assigned to the device a random password, to specifications set in the policy will be applied and a copy will be saved into the device details in the location shown above within Intune
In general it is best practice to have no other local admin accounts on devices except the default one provided by Windows that cannot be removed. Per the FAQs, LAPS supports only one account on a device. You can specify that account but it is best practice to not specify a name on the policy configuration and allow Intune to manage the default built-in administrator account.
Once the LAPS policy has been applied you will see the following for the Windows devices as shown above.
Selecting the Show local administrator password hyperlink will display a blade with the above information. Selecting the Show button here will display the current password and allow you to take a copy.
Best practice is to take control of the default local admin account using the LAPS policy deployed via Intune as shown. The next step would then to be to eliminate any other local admin account from the devices so the only ne left is the default which has its password rotated regularly thanks to LAPS.
Further information on LAPS with Intune can be found here:
Microsoft Intune support for Windows LAPS
7 thoughts on “Controlling local admin with LAPS and Intune”