Enable Windows LAPS management with Microsoft Intune

Nicky De Westelinck
4 min readApr 23, 2023

In this article, I’ll show you the steps needed to Enable Windows LAPS management with Microsoft Intune. As most of you already heard, Microsoft announced the public preview of Windows Local Administrator Password Solution (LAPS) for Azure Active Directory yesterday. For more information about LAPS and the announcement, you can find the links at the end of this article.

This means we can now secure our Azure Active Directory joined devices using Microsoft Entra and Microsoft Intune.

Windows LAPS Management in Microsoft Intune

In this article, I’ll show you all the steps needed to implement Windows LAPS with Microsoft Intune. Let’s get started!

Pre-requisites

What do we need?

  • A tenant with Microsoft Intune service release 2304 (April Update) active
  • Admin privileges for Microsoft Entra (Azure Active Directory) and Microsoft Intune
  • A Windows 10 20H2/Windows 21h2 or later with the April 11, 2023 security updates installed

Microsoft Entra

First, we need to enable Windows LAPS in our Device Settings in Azure Active Directory.
Go to Microsoft Entra | Azure Active Directory | Devices | All Devices | Device Settings and set Enable Azure AD Local Administrator Password Solution (LAPS) under Local Administrator settings (preview) to Yes.

Now once the policy is enabled we can go to the Microsoft Intune part of the configuration.

Microsoft Intune

For enabling Windows LAPS on our Azure AD Joined device managed by Microsoft Intune, we need to create an Account Protection policy.

Go to Microsoft Intune admin center | Endpoint Security | Account protection and choose + Create Policy.

Next, choose Windows 10 or later as Platform and for Profile choose Local admin password solution (Windows LAPS). Now choose Create.

NOTE: If you don’t see the LAPS option, make sure your tenant is on service release 2304 (April update). You can check this by going to Microsoft Intune admin center | Tenant Administration | Tenant Status

Now give your policy a name and a description following your naming convention and choose Next.

Next step is the configuration settings of the policy, this is something you discuss with the customer and set the needs. In this example, we going to use some basic settings for LAPS.

  • Backup Directory: Backup the password to Azure AD only
  • Password Age Days: Configured — 30
  • Administrator Account Name: Configured — LocalAdmin
  • Password Complexity: Large letters + small letters + numbers + special characters
  • Password Lenght: Configured — 16
  • Post Authentication Actions: Reset the password and logoff the managed account
  • Post Authentication Reset Delay: Configured — 24 (hours)

After setting the configuration, choose Next. We are going to skip the Scope tags part by choosing Next again.

For the Assignment part, I’ve created an Azure AD Dynamic Device group that will contain all my Windows 11 devices. Read this article if you aren’t familiar with Dynamic groups in Azure AD. I named my group GRP_AAD_All_Windows11_Devices and the Dynamic membership rule is (device.deviceOSVersion -startsWith “10.0.22”) . After assigning your group choose Next.

Now review your configuration and if you’re ready to go, choose Create.

Your LAPS policy is now created and ready to be deployed to your devices!

That’s it, this is how you Enable Windows LAPS management with Microsoft Intune for your organization. Stay tuned for a following article on how to manage your LAPS in Microsoft Intune.

Thanks for reading!

Links

Introducing Windows Local Administrator Password Solution with Microsoft Entra (Azure AD) — Microsoft Community Hub

By popular demand: Windows LAPS available now! — Microsoft Community Hub

Announcing Windows LAPS management through Microsoft Intune — Microsoft Community Hub

--

--

Nicky De Westelinck

I’m a Modern Workplace Consultant at Wortell Belgium. My main focus is Microsoft Intune. Since 2021, I’m also a Microsoft Certified Trainer.