Enable Windows LAPS management with Microsoft Intune

In this article, I’ll show you the steps needed to Enable Windows LAPS management with Microsoft Intune. As most of you already heard, Microsoft announced the public preview of Windows Local Administrator Password Solution (LAPS) for Azure Active Directory yesterday. For more information about LAPS and the announcement, you can find the links at the end of this article.

This means we can now secure our Azure Active Directory joined devices using Microsoft Entra and Microsoft Intune.

Windows LAPS Management in Microsoft Intune

Pre-requisites

What do we need?

  • A tenant with Microsoft Intune service release 2304 (April Update) active
  • Admin privileges for Microsoft Entra (Azure Active Directory) and Microsoft Intune
  • A Windows 10 20H2/Windows 21h2 or later with the April 11, 2023 security updates installed

Microsoft Entra

First, we need to enable Windows LAPS in our Device Settings in Azure Active Directory.
Go to Microsoft Entra | Azure Active Directory | Devices | All Devices | Device Settings and set Enable Azure AD Local Administrator Password Solution (LAPS) under Local Administrator settings (preview) to Yes.

Enable LAPS in Microsoft Entra Device Settings
Enabling Azure AD LAPS in Microsoft Entra

Now once the policy is enabled we can go to the Microsoft Intune part of the configuration.

Microsoft Intune

For enabling Windows LAPS on our Azure AD Joined device managed by Microsoft Intune, we need to create an Account Protection policy.

Go to Microsoft Intune admin center | Endpoint Security | Account protection and choose + Create Policy.

Creating an Account Protection Profile for LAPS in Microsoft Intune
Create a new Account Protection policy

Next, choose Windows 10 or later as Platform and for Profile choose Local admin password solution (Windows LAPS). Now choose Create.

Choose the type of Account Protection profile

NOTE: If you don’t see the LAPS option, make sure your tenant is on service release 2304 (April update). You can check this by going to Microsoft Intune admin center | Tenant Administration | Tenant Status

Check the Microsoft Intune Service release version
Overview of your tenant status to confirm service release

Now give your policy a name and a description following your naming convention and choose Next.

Give the policy a name and description

Next step is the configuration settings of the policy, this is something you discuss with the customer and set the needs. In this example, we going to use some basic settings for LAPS.

  • Backup Directory: Backup the password to Azure AD only
  • Password Age Days: Configured – 30
  • Administrator Account Name: Configured – LocalAdmin
  • Password Complexity: Large letters + small letters + numbers + special characters
  • Password Lenght: Configured – 16
  • Post Authentication Actions: Reset the password and logoff the managed account
  • Post Authentication Reset Delay: Configured – 24 (hours)
Configuration settings options for LAPS

After setting the configuration, choose Next. We are going to skip the Scope tags part by choosing Next again.

For the Assignment part, I’ve created an Azure AD Dynamic Device group that will contain all my Windows 11 devices. Read this article if you aren’t familiar with Dynamic groups in Azure AD. I named my group GRP_AAD_All_Windows11_Devices and the Dynamic membership rule is (device.deviceOSVersion -startsWith β€œ10.0.22”). After assigning your group choose Next.

Group assignment of the LAPS policy

Now review your configuration and if you’re ready to go, choose Create.

Review and creation of the LAPS policy

Your LAPS policy is now created and ready to be deployed to your devices!

Overview of the Account protection policies

That’s it, this is how you Enable Windows LAPS management with Microsoft Intune for your organization. Stay tuned for a following article on how to manage your LAPS in Microsoft Intune.

Thanks for reading!

Links

Introducing Windows Local Administrator Password Solution with Microsoft Entra (Azure AD) – Microsoft Community Hub

By popular demand: Windows LAPS available now! – Microsoft Community Hub

Announcing Windows LAPS management through Microsoft Intune – Microsoft Community Hub

Nicky De Westelinck

Nicky De Westelinck is a Modern Workplace Consultant for Wortell Belgium with several years of experience in Microsoft 365. His main focus is Microsoft EndPoint Manager and Microsoft 365 Administration. He is also a Microsoft Certified Trainer since 2021.

View all posts by Nicky De Westelinck →