Manage Windows LAPS with Microsoft Intune policies

Every Windows machine has a built-in local administrator account that can’t be deleted, and which has full permissions to the device. Securing this account is an important step in securing your organization. Windows devices include Windows Local Administrator Password Solution (LAPS), a built-in solution to help manage local admin accounts.

You can use Microsoft Intune endpoint security policies for account protection to manage LAPS on devices that have enrolled with Intune. Intune policies can:

You can also view details about the managed local admin accounts in the Intune Admin center, and manually rotate their account passwords outside of a scheduled rotation.

Use of Intune LAPS policies helps you protect Windows devices from attacks that are aimed at exploiting local user accounts like pass-the-hash or lateral-traversal attacks. Managing LAPS with Intune can also help improve security for remote help desk scenarios and recover devices that are otherwise inaccessible.

Intune LAPS policy manages the settings available from the Windows LAPS CSP. Intune's use of the CSP replaces the use of Legacy Microsoft LAPS or other LAPS management solutions, with CSP based taking precedence over other LAPS management sources.

Intune support for Windows LAPS includes the following capabilities:

To learn about Windows LAPS in more detail, start with the following articles in the Windows documentation:

Applies to:

The following are requirements for Intune to support Windows LAPS in your tenant:

Licensing requirements:

Intune subscription - Microsoft Intune Plan 1, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.

Active Directory subscription – Azure Active Directory Free, which is the free version of Azure AD that’s included when you subscribe to Intune. With Azure AD Free, you can use all the features of LAPS.

Active Directory support:

Intune policy for Windows LAPS can configure a device to back up a local administrator account and password to one of the following Directory types:

Cloud – Cloud supports back up to your Azure AD for the following scenarios:

Note

Devices that are workplace-joined (WPJ) are not supported by Intune for LAPS.

On-premises – On-premises supports back up to Windows Server Active Directory (on-premises Active Directory).

Important

LAPS on Windows devices can be configured to use one directory type or the other, but not both. Also consider, the backup directory must be supported by the devices join type – if you set the directory to an on-premises Active Directory and the device is not domain joined, it will accept the policy settings from Intune, but LAPS cannot successfully use that configuration.

Device Edition and Platform:

Devices can have any Windows edition that Intune supports, but must run of one of the following versions to support the Windows LAPS CSP:

GCC High support:

Intune policy for Windows LAPS is supported for GCC High environments.

To manage LAPS, an account must be have sufficient role-based access control (RBAC) permissions to complete a desired task. The following are the available tasks with their required permissions:

Create and access LAPS policy – To work with and view LAPS policies, your account must be assigned sufficient permissions from the Intune RBAC category for Security baselines. By default, these are included in the built-in role Endpoint Security Manager. To use custom roles, ensure the custom role includes the rights from the Security baselines category.

Rotate local Administrator password – To use the Intune admin center to rotate a devices local admin account password, your account must be assigned the following Intune permissions:

Retrieve local Administrator password – To view password details, your account must have one of the following Azure Active Directory permissions:

During the public preview, these permissions aren't available to add to custom Azure AD roles. Instead, your account must be assigned one of the following Azure AD built-in rules, which include these permissions by default:

In the future, Azure AD will add support for assigning the required permissions to custom Azure AD roles.

View Azure AD audit logs and events – To view details about LAPS policies and recent device actions such as password rotation events, your account must permissions equivalent to the built-in Intune role Read Only Operator.

For more information, see Role-based access control for Microsoft Intune.

For information about Windows LAPS architecture, see Key concepts in Windows LAPS in the Windows documentation.

Yes. Intune LAPS policy can be used to manage any local administrator account on a device. However, LAPS supports only one account per device:

The CSP-based policy from Intune overrides all other sources of LAPS policy, such as from GPOs or a configuration from Legacy Microsoft LAPS. For more information, see Supported Policy roots in the Windows LAPS documentation.

No. Windows LAPS can only manage accounts that already exist on the device. If a policy specifies an account by name that doesn't exist on the device, the policy applies and doesn’t report an error. However, no account is backed up.

No. Windows LAPS requires the device to be in an enabled state before password rotation and backup operations can apply.

When a device is deleted in Azure AD, the LAPS credential that was tied to that device is lost and the password that is stored in Azure AD is lost. Unless you have a custom workflow to retrieve LAPS passwords and store them externally, there's no method in Azure AD to recover the LAPS managed password for a deleted device.

The following built-in roles Azure AD roles have permission to recover LAPS passwords: Global Admin, Cloud Device Admin, and Intune Service Admin.

The following built-in roles are supported to view metadata about LAPS including the device name, last password rotation, and next password rotation: Global Admin, Cloud Device Admin, Intune Service Admin, Helpdesk Admin, Security Reader, Security Admin, and Global Reader.

Because Windows LAPS can only manage one local admin account on a device at a time, the original account is no longer managed by LAPS policy. If policy has the device back up that account, the new account is backed up and details about the previous account are no longer available from within the Intune admin center or from the Directory that is specified to store the account information.