Blog Details

Blog Image

Enhance Security: How to Set Up Windows LAPS with Microsoft Intune

In today's cybersecurity landscape, managing local administrator passwords is crucial for protecting your Windows devices. Windows Local Administrator Password Solution (LAPS) provides a robust solution for this, and Microsoft Intune simplifies its deployment and management. This blog post will guide you through the step-by-step process of setting up Windows LAPS with Microsoft Intune, enhancing your organization's security posture.

What is Windows LAPS?

Windows LAPS is a feature that automatically manages and rotates local administrator passwords on your Windows devices. It stores these passwords securely in either Active Directory or Microsoft Entra ID, ensuring that each device has a unique, complex password.

Why Use Windows LAPS with Microsoft Intune?

  • Enhanced Security: Prevents lateral movement by ensuring unique local administrator passwords.
  • Simplified Management: Centrally manage LAPS policies and passwords through Microsoft Intune.
  • Compliance: Helps meet compliance requirements by enforcing strong password policies.
  • Reduced Risk: Minimizes the risk of unauthorized access through compromised local accounts.

Step-by-Step Guide to Setting Up Windows LAPS with Microsoft Intune:

  • Enable LAPS in Microsoft Entra ID Device Settings:
    • Log in to the Microsoft Entra admin center with a Cloud Device Administrator role.
    • Navigate to Identity > Devices > All devices > Device settings.
    • Under Local administrator settings, select Yes to enable Microsoft Entra ID Local Administrator Password Solution (LAPS) (Preview).
      • Image Description

  • Enable the Local Administrator Account:
    • In the Microsoft Intune admin center, go to Devices > Configuration profiles > + Create profile.
    • Select Windows 10 and later for Platform and Settings catalog for Profile type, then click Create.
      • Image Description
    • Add a Name and Description to your profile and click Next.
      • Image Description
    • Click +Add settings, search for Local Policies Security Options, select Accounts Enabled Administrator Account Status, and then Enable it.
      • Image Description Image Description Image Description
    • Assign the policy to your devices. (All Devices recommended)
      • Image Description

  • Configure Windows LAPS with Intune:
    • In the Microsoft Intune admin center, go to Endpoint security > Account protection > + Create policy.
    • Select Windows 10 and later for Platform and Local admin password solution (Windows LAPS) (preview) for Profile, then click Create.
      • Image Description
    • Add a Name and Description on the Basics page.
      • Image Description Image Description
    • On the configuration settings page, configure the following.
      • Backup Directory: Select Microsoft Entra ID only.
        • Image Description
      • Password Age Days: Set the password rotation interval (e.g., 30 days).
        • Image Description
      • Administrator Account Name: Specify the local administrator account name (or leave blank for the default).
        • Image Description
      • Password Complexity: Choose a strong password complexity (e.g., Large letters + small letters + numbers + special characters).
        • Image Description
      • Password Length: Set the password length (e.g., 14 characters).
        • Image Description
      • Post Authentication Actions: Configure actions after authentication (e.g., Reset the password and logoff).
        • Image Description
      • Post Authentication Reset Delay: Set the delay before post-authentication actions (e.g., 24 hours).
        • Image Description
    • Assign the policy to All devices or specific groups.
      • Image Description Image Description Image Description
    • Review and create the policy.
      • Image Description

  • Verify LAPS Configuration:
    • Check the Intune report to confirm policy deployment.
      • Image Description
    • Verify local registry settings on a managed device: HKLMSoftwareMicrosoftPoliciesLAPS.
      • Image Description

  • View Local Administrator Password:
    • Microsoft Entra admin center:
      • Navigate to Identity > Devices > All devices. Click Local Administrator password recovery (Preview).
        • Image Description
      • Select a device and click Show local administrator password.
        • Image Description
    • Microsoft Intune admin center:
      • Navigate to Devices > Windows.
        • Image Description
      • Select your device and click Local admin password.
        • Image Description
      • Click Show local administrator password.
        • Image Description

  • Change Windows LAPS Password on Demand:
    • Microsoft Intune admin center:
      • Navigate to Devices > All devices.
      • Select your device, click the three dots, and choose Rotate local admin password.
      • Confirm the action.

Best Practices:

  • Use strong password complexity and length.
  • Rotate passwords regularly.
  • Limit access to LAPS passwords to authorized personnel.
  • Monitor LAPS deployment and password recovery.

Implementing Windows LAPS with Microsoft Intune significantly enhances the security of your Windows devices. By following these steps, you can effectively manage local administrator passwords and protect your organization from potential threats.

Have you implemented Windows LAPS in your environment? If you need assistance with Microsoft Intune or Windows LAPS, contact us today.

  • Microsoft Intune
  • Windows LAPS, Intune, Entra ID, Security Best Practices

Search

Categories

Recent Posts

Unlock Your Business Potential: The Power of Managed IT Services
Mastering Microsoft 365 Administration with PowerShell: Domains, Users, Licenses, and More
Enhance Security: How to Set Up Windows LAPS with Microsoft Intune
Navigating the Tech Maze: Common Hurdles for Small Business Owners
Automating SQL Server Backups and Cleanup with PowerShell: Ensuring Data Integrity

Tags