Windows LAPS with Intune

Windows LAPS with Intune

Comments 0 Comment
Microsoft LAPS with Azure AD

Overwiew of Microsoft LAPS

Windows LAPS or Local Administrator Password Solution is a Microsoft tools used by the DSI team for manage local password. The password of the local administrator password can be modify and stored in Active Directory and Azure Active Directory. It’s a fantastic tools for on-premise or Hybrid AD Join computer.

The computer can be configured by Microsoft intune. With Microsoft Intune, the Windows LAPS CSP (Configuration Service Provider) must be used. If you save the password in Active Directory, Group Policy or script can be used. You can’t used Group policy if the password is store into Azure AD.

Settings applied to the computer

Windows LAPS CSP apply on the computer the following settings :

  • BackupDirectory : Used this settings to select the directory who the password is backed up. Three options is avalable for this settings.
./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
Value 0 : Disabled, the password is not backed up
Value 1 : Backup the password to Azure AD Only
Value 2 : Backup the password to Active Directory Only
  • PasswordAgeDays : This settings configure the maximum password age for the local account. by default, the value of the password age day is 30 days. The minimum value is 1 day and the maximum is 365 days.
./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
  • PasswordComplexity : This settings configure the complexity of the password. Four options are available, if no options is selected the default settings applied is the option 4
./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
Option 1 : Large letters
Option 2 : Large letters + small letters
Option 3 : Large letters + small letters + numbers
Option 4 : Large letters + small letters + numbers + special characters
  • PasswordLength : Used for configure the length of the password. The minimum length for the password is 8 characters and 64 characters for the maximum. The default value is 14 characters.
./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
  • AdministratorAccountName : This settings is used to configure the name of the managed local administrator account. If this settings is not configured, administrator account will be located by well-known SID.
./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName
  • PostAuthenticationResetDelay : Specify the amount of hour time to wait after an authentication before executing the specified actions. The default value is 24 hours. The minimum value is 0 (disable all post-authentification actions) and the maximum value is 24 hours..
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
  • PostAuthenticationActions : This settings permit to configure actions to take upon expiration of the grace period. Three options is available, the default value is 3.
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
Value 1 : After the expiration of the grace period, the password of the local account is be reset.
Value 3 : The password is be Reset and logoff is performed for any interactive logon sessions using the managed account. This operation is performed after the expiration of the grace period.
Value 5 : The password is be reset and the computer manager is immediately rebooted. All of this operation is performed after the expiration of the grace pediod.

Configure Azure AD

From the Entra portal, expand Devices menu and click on All devices. Click on Device settings then enable Azure AD Local Administrator Password Solution (LAPS).

Enable LAPS Parameter on Azure AD

Click on Save.

Configure Intune profile

From the Intune portal, click on Endpoint Security then on Account protection

Select Account protection on Intune portal

Click on Create Policy then select Windows 10 and later in the Platform drop-down list. Select Local Admin password solution in the Profile drop-down list and click on Create.

Create Intune profile for LAPS

Enter the name of the profiles then click on Next.

Enter the name of the profile

Select Backup the password to Azure AD only and select the value for the Password Age Days.

Configure Backup directory parameter

Enable Administrator Account Name then enter the name of the local account.

Configure local account for LAPS

Configure password complexity and the password length. Configure the post authentification action then click on Next.

Configure password complexity

Configure assignments then click on Create.

Profile is now been created

Recoverthe password in Azure AD

From the Entra portal, expand Devices menu and click on All devices. Click on Local administrator password recovery. The device appear and you can show the local administrator password.

View the password in Azure AD.

Click on Show local administrator password then on Show to view the password.

View the password of the local account.

On the Windows 10 computer, the event viewer (Windows Logs \ Applications and Services Logs \ Microsoft \ Windows \ LAPS can be used by an administrator for validate if configuration has been applied.

Use LAPS event log

If the configuration is been applied and password updated in Azure AD, the event with ID 10029 is on the event viewer.

Event 10029 the password is updated on Azure ad

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.