What is Windows LAPS?

Windows LAPS automatically generates a unique, complex local administrator password for each device, rotates these passwords regularly, and stores them securely in your directory—either on-premises or in the cloud. This eliminates the risky practice of using the same admin password across multiple devices and helps prevent lateral movement if a device is compromised.

Why Use LAPS with Intune?

• Improved Security: Each device gets its own strong password, drastically reducing your attack surface.
• Centralized Management: Intune lets you roll out and manage LAPS policies across your organization from a single console.
• Operational Efficiency: Password rotation and management are automated, so you avoid manual resets.
• Compliance & Auditing: All password changes are logged, supporting regulatory requirements.
• No Extra Agent: Modern Windows versions have LAPS built in, so there’s nothing extra to install.

Prerequisites

Before you get started, make sure you have:

• Microsoft Intune (Plan 1 or trial) and Microsoft Entra ID (Free)
• Supported OS: Windows 11 22H2 (April 2023 update+) or Windows 11 21H2 (April 2023 update+)
• Devices joined to Entra ID or hybrid joined

Step-by-Step: Setting Up LAPS with Intune

1. Enable LAPS in Microsoft Entra

1. Sign in to the Microsoft Entra admin center 

• Go to Devices → All devices → Device settings
• Find Enable Microsoft Entra Local Administrator Password Solution (LAPS) and toggle it to Yes
• Click Save
  

2. Create a LAPS Policy in Intune

1. Sign in to the Intune admin center (https://endpoint.microsoft.com/)

• Navigate to Endpoint security → Account protection → + Create Policy
• Choose Platform: Windows and Profile: Local admin password solution (Windows LAPS)
• Configure your policy settings (password complexity, rotation frequency, etc.)

• Assign the policy to a device group (start with a pilot group)
• Review and create the policy

3. Retrieve Local Admin Passwords

• In the Entra admin center, go to Identity → Devices → All devices
• Select the device you need
• Under Local administrator password recovery, click Show local administrator password

• Copy the account name and password (visible only to authorized admins)

Best Practices

• Use a dedicated local admin account name (not the default “Administrator”)
• Limit password retrieval permissions using RBAC in Entra ID
• Pilot with a small group before rolling out organization-wide
• Document your emergency access (“break-glass”) process
• Combine LAPS with MFA, conditional access, and compliance policies for maximum security

Troubleshooting Tips

• If a device isn’t backing up passwords, check Entra join status and policy application
• If a user can’t retrieve a password, verify their RBAC permissions
• If a policy isn’t applying, confirm Intune sync and check device event logs
• Make sure your OS build supports LAPS

Example Rollout Plan

1. Identify a pilot group (50–100 devices)
2. Enable LAPS in Entra for your tenant
3. Configure and deploy your LAPS policy in Intune
4. Monitor, tweak, and expand gradually

Conclusion

Implementing Windows LAPS with Intune is a straightforward way to eliminate shared local admin passwords, reduce security risks, and centralize credential management. With a short pilot and phased rollout, most organizations can quickly secure their Windows environment and simplify password management.