Windows LAPS with Intune
Overwiew of Microsoft LAPS
Windows LAPS or Local Administrator Password Solution is a Microsoft tools used by the DSI team for manage local password. The password of the local administrator password can be modify and stored in Active Directory and Azure Active Directory. It’s a fantastic tools for on-premise or Hybrid AD Join computer.
The computer can be configured by Microsoft intune. With Microsoft Intune, the Windows LAPS CSP (Configuration Service Provider) must be used. If you save the password in Active Directory, Group Policy or script can be used. You can’t used Group policy if the password is store into Azure AD.
Settings applied to the computer
Windows LAPS CSP apply on the computer the following settings :
- BackupDirectory : Used this settings to select the directory who the password is backed up. Three options is avalable for this settings.
./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
Value 0 : Disabled, the password is not backed up
Value 1 : Backup the password to Azure AD Only
Value 2 : Backup the password to Active Directory Only
- PasswordAgeDays : This settings configure the maximum password age for the local account. by default, the value of the password age day is 30 days. The minimum value is 1 day and the maximum is 365 days.
./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
- PasswordComplexity : This settings configure the complexity of the password. Four options are available, if no options is selected the default settings applied is the option 4
./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
Option 1 : Large letters
Option 2 : Large letters + small letters
Option 3 : Large letters + small letters + numbers
Option 4 : Large letters + small letters + numbers + special characters
- PasswordLength : Used for configure the length of the password. The minimum length for the password is 8 characters and 64 characters for the maximum. The default value is 14 characters.
./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
- AdministratorAccountName : This settings is used to configure the name of the managed local administrator account. If this settings is not configured, administrator account will be located by well-known SID.
./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName
- PostAuthenticationResetDelay : Specify the amount of hour time to wait after an authentication before executing the specified actions. The default value is 24 hours. The minimum value is 0 (disable all post-authentification actions) and the maximum value is 24 hours..
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
- PostAuthenticationActions : This settings permit to configure actions to take upon expiration of the grace period. Three options is available, the default value is 3.
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
Value 1 : After the expiration of the grace period, the password of the local account is be reset.
Value 3 : The password is be Reset and logoff is performed for any interactive logon sessions using the managed account. This operation is performed after the expiration of the grace period.
Value 5 : The password is be reset and the computer manager is immediately rebooted. All of this operation is performed after the expiration of the grace pediod.
Configure Azure AD
From the Entra portal, expand Devices menu and click on All devices. Click on Device settings then enable Azure AD Local Administrator Password Solution (LAPS).
Click on Save.
Configure Intune profile
From the Intune portal, click on Endpoint Security then on Account protection
Click on Create Policy then select Windows 10 and later in the Platform drop-down list. Select Local Admin password solution in the Profile drop-down list and click on Create.
Enter the name of the profiles then click on Next.
Select Backup the password to Azure AD only and select the value for the Password Age Days.
Enable Administrator Account Name then enter the name of the local account.
Configure password complexity and the password length. Configure the post authentification action then click on Next.
Configure assignments then click on Create.
Recoverthe password in Azure AD
From the Entra portal, expand Devices menu and click on All devices. Click on Local administrator password recovery. The device appear and you can show the local administrator password.
Click on Show local administrator password then on Show to view the password.
On the Windows 10 computer, the event viewer (Windows Logs \ Applications and Services Logs \ Microsoft \ Windows \ LAPS can be used by an administrator for validate if configuration has been applied.
If the configuration is been applied and password updated in Azure AD, the event with ID 10029 is on the event viewer.