Set Up Windows LAPS with Microsoft Intune for Enhanced Security

Configure Windows LAPS with Microsoft Intune to automatically rotate and manage local administrator passwords on managed devices using Microsoft Entra ID backup and cloud-based policy enforcement.

Emanuel DE ALMEIDA

3/13/2026 15 min 0

mediumlaps 6 steps 15 min

Overview

Windows Local Administrator Password Solution (LAPS), natively built into Windows 11 (22H2+) and Windows Server 2022, automates local administrator password management by generating unique, complex passwords per device and backing them up to Microsoft Entra ID or Active Directory. Integrated with Microsoft Intune, LAPS eliminates shared local admin credentials — one of the most exploited attack vectors in lateral movement scenarios.

Prerequisites include devices running Windows 11 22H2+ or Windows Server 2022+, enrolled in Microsoft Intune, and Azure AD-joined or hybrid Azure AD-joined. Enable LAPS in the Entra admin center under Devices > Device settings, then create a Windows LAPS account protection policy in Intune (Endpoint security > Account protection > Windows LAPS). Configure password age (default: 30 days), password length (minimum: 15 characters), account name, and backup directory (Azure AD). Retrieved passwords are accessible by authorized admins in the Entra portal under Devices > Local administrator password recovery.

Tip: Use the built-in Get-LapsAADPassword PowerShell cmdlet (LAPS module) to audit and retrieve LAPS passwords programmatically, or delegate access using Azure AD custom roles to restrict retrieval to privileged identity management (PIM) eligible roles.

Implementation Guide

Full Procedure

Enable LAPS Tenant-Wide in Microsoft Entra ID

First, you need to enable LAPS at the tenant level in Microsoft Entra ID. This is a global setting that affects all devices in your organization.

Sign in to the Microsoft Entra admin center at https://portal.azure.com using an account with Cloud Device Administrator or Global Administrator permissions.

Navigate to Identity > Devices > Overview > Device settings.

Locate the setting Enable Local Administrator Password Solution (LAPS) and set it to Yes.

Click Save to apply the changes.

Warning: This setting affects all devices in your tenant. Test this configuration in a non-production environment first to understand the impact.

Verification: The setting should show as "Yes" after saving. This change takes effect immediately but devices will only start using LAPS once policies are applied.

Enable the Built-in Administrator Account via Intune

Windows LAPS requires the built-in administrator account to be enabled, which is often disabled by default on modern Windows installations. We'll create an Intune configuration profile to enable it.

Navigate to Devices > Configuration profiles > Create profile.

Configure the profile settings:

Platform: Windows 10 and later
Profile type: Settings catalog

In the Basics tab, enter a name like "Enable Built-in Administrator for LAPS" and add a description.

In the Configuration settings tab, click Add settings and search for "Local Policies Security Options".

Select Accounts: Administrator account status and set it to Enabled.

In the Assignments tab, assign this profile to your target device groups. Start with a pilot group for testing.

Review your settings and click Create.

Pro tip: Create a dedicated device group for LAPS testing before rolling out to production devices. This allows you to validate the configuration works correctly.

Verification: After the policy applies, check the device by running net user administrator in Command Prompt. The account should show as "Active: Yes".

Create the Windows LAPS Policy in Intune

Now we'll create the main LAPS policy that defines password complexity, rotation schedule, and backup location.

In the Intune admin center, go to Endpoint security > Account protection > Create Policy.

Select the following options:

Platform: Windows 10 and later
Profile: Local admin password solution (Windows LAPS)

In the Basics tab, enter a name like "Windows LAPS Policy" and provide a clear description.

Configure the Configuration settings with these recommended values:

Setting	Recommended Value	Description
Password Age (Days)	30	How often passwords rotate (7-365 days)
Password Complexity	Large + small letters + numbers + specials	Ensures strong password generation
Password Length	14	Minimum 12 characters recommended
Backup Directory	AzureAD (Microsoft Entra ID)	Where passwords are stored securely
Password Encryption	Yes	Encrypts passwords in transit and storage
Administrator Account Name	Built-in administrator	Targets the default admin account
Post Authentication Actions	Reset password	Resets password after use
Post Authentication Reset Delay	24 hours	Grace period before reset

In the Assignments tab, add your target device groups. Start with your pilot group before expanding to production.

Review all settings and click Create.

Warning: The post-authentication reset feature will change the administrator password after it's used. Plan for this in your support processes and ensure you have alternative access methods.

Verification: The policy will appear in your Account protection policies list with a status of "Assigned" once created successfully.

Verify LAPS Configuration on Target Devices

After deploying the policies, you need to verify that LAPS is working correctly on your target devices.

On a target Windows device, open PowerShell as an administrator and run these verification commands:

# Check LAPS registry settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS"

# Verify LAPS service status
Get-Service -Name "LAPS" -ErrorAction SilentlyContinue

# Check LAPS event logs
Get-WinEvent -LogName "Application" | Where-Object {$_.ProviderName -eq "Microsoft-Windows-LAPS"} | Select-Object -First 10

# Force device sync with Intune
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Check device registration status
dsregcmd /status

You should see LAPS registry entries populated with your policy settings, and event logs should show LAPS activity.

To verify the administrator account is enabled:

net user administrator

The output should show "Account active: Yes".

Pro tip: Use the Windows Event Viewer to monitor LAPS events in real-time. Look for Event ID 10018 which indicates successful password changes.

Verification: LAPS is working correctly when you see populated registry entries, active LAPS events in the log, and the administrator account shows as enabled.

Configure Password Retrieval Permissions

Only authorized users should be able to retrieve LAPS passwords. Let's configure the appropriate permissions in Microsoft Entra ID.

In the Microsoft Entra admin center, navigate to Identity > Roles and administrators.

Search for and select the Cloud Device Administrator role, or create a custom role with specific LAPS permissions.

Click Add assignments and select the users or groups who should have access to retrieve LAPS passwords.

For more granular control, you can create a custom role with these specific permissions:

{
  "microsoft.directory/devices/localCredentials/read": true,
  "microsoft.directory/devices/read": true
}

To test password retrieval, authorized users can:

Go to the Microsoft Entra admin center
Navigate to Identity > Devices > All devices
Select a device with LAPS enabled
Click Local Administrator Password to view the current password

Warning: LAPS passwords are highly sensitive. Only grant retrieval permissions to users who absolutely need them, and regularly audit who has access.

Verification: Test that authorized users can retrieve passwords through the Entra admin center, while unauthorized users receive access denied errors.

Monitor and Troubleshoot LAPS Deployment

Proper monitoring ensures your LAPS deployment is working correctly and helps identify issues quickly.

In the Intune admin center, monitor policy deployment status:

Go to Endpoint security > Account protection
Select your LAPS policy
Click Device status to see deployment results

Common issues and their solutions:

Issue	Cause	Solution
Policy not applying	Device not enrolled or sync issues	Force device sync, check enrollment status
Administrator account disabled	Built-in admin policy not applied	Verify the administrator enablement policy deployed
No LAPS registry entries	Policy not received by device	Check device compliance and force sync
Password not backing up	Entra ID connectivity issues	Verify device registration with dsregcmd /status

Use these PowerShell commands for advanced troubleshooting:

# Check detailed device registration
dsregcmd /status | Select-String -Pattern "AzureAdJoined|DomainJoined|WorkplaceJoined"

# Verify Intune management extension
Get-Process -Name "Microsoft.Management.Services.IntuneWindowsAgent" -ErrorAction SilentlyContinue

# Check LAPS configuration in registry
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" -Recurse

# Force immediate password rotation (for testing)
Invoke-Command -ScriptBlock {Reset-ComputerMachinePassword}

Pro tip: Set up automated monitoring using Azure Monitor or Microsoft Sentinel to track LAPS password rotation events and failed policy deployments.

Verification: Your LAPS deployment is successful when devices show "Succeeded" status in Intune, passwords are being rotated according to your schedule, and authorized users can retrieve passwords when needed.

Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Further Intelligence

Deepen your knowledge with related resources

Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)

tutorial

Cybersecurity

Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)

Deep Dive

Configure OneDrive Auto Sign-in Using Microsoft Intune

tutorial

Cloud Computing

Configure OneDrive Auto Sign-in Using Microsoft Intune

Deep Dive

tutorial

Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Loading comments...