In today’s digital age, securing sensitive information and managing access to critical systems is paramount. One aspect of this security is the management of local administrator passwords on Windows devices. Microsoft recognized the need for a secure solution to manage local administrator passwords and introduced the Local Administrator Password Solution (LAPS) a few years ago. LAPS was initially designed for on-premises Active Directory environments, but with the increasing adoption of Microsoft Cloud technologies, it has become essential to integrate LAPS with Microsoft Entra ID and Intune to enhance security across hybrid environments. In this article, we’ll explore the concept of LAPS configured via Intune and how it contributes to a robust security posture.
Requirements can be found in the link below:
Use Windows Local Administrator Password Solution (LAPS) with Microsoft Entra ID | Microsoft Learn
Local Administrator Password Solution (LAPS) is a Microsoft solution that helps organizations manage the local administrator account passwords on Windows devices. Historically, many organizations used the same local administrator password across all their devices, which posed a significant security risk. If a malicious actor gained access to one device, they could potentially compromise the entire network. LAPS addresses this issue by providing a secure and automated way to manage unique, complex local administrator passwords for each device.
Key Features of LAPS:
1. **Randomized Passwords**: LAPS generates and stores a random and complex password for the local administrator account on each Windows device. These passwords are automatically rotated at scheduled intervals, enhancing security.
2. **Secure Storage**: Passwords are securely stored in Microsoft Entra ID or Active Directory, ensuring that only authorized personnel with the necessary permissions can access them.
3. **Access Control**: Access to view and manage LAPS passwords can be delegated to specific administrators, reducing the risk of unauthorized access.
4. **Auditing**: LAPS logs all password management activities, allowing administrators to track who accessed passwords and when.
Implementing Microsoft Entra ID LAPS with Intune
To implement LAPS effectively, organizations should follow these steps:
Enable LAPS in the Microsoft Entra ID portal:
- Log into the Microsoft Entra ID portal.
- Navigate to Devices.
- Select Device Settings.
- Under Local administrator settings, move the toggle to Yes under Enable Microsoft Entra Local Administrator Password Solution (LAPS)
Deploy LAPS Policy with Intune
- Navigate to the Intune Portal.
- Select Endpoint Security.
- Select Account Protection.
- Click + Create Policy.
- Select Windows 10 and Later under Platform and select the profile Local Administrator Password Solution (LAPS) and click Create.
- Enter the Name and Description details and click Next.
- Configure the desired settings and click Next.
- Navigate through the wizard to add any Scope Tags and set your Assignments to deploy the policy.
Monitor and Audit
Audit logs for LAPS can be found in the Microsoft Entra ID Portal under Devices > Audit Logs.
LAPS is a crucial component in the modern organization’s security arsenal, offering a seamless and secure way to manage local administrator passwords across hybrid environments. By integrating LAPS with Microsoft Entra ID and Intune, organizations can enforce password security policies, improve compliance, and simplify password management tasks. This combination enhances the overall security posture, ensuring that local administrator passwords are no longer a weak link in the chain of cybersecurity. As the threat landscape continues to evolve, adopting Intune LAPS becomes an essential step in safeguarding your organization’s critical assets.