Today, we will be implementing Microsoft LAPS, a powerful security tool that helps to secure your endpoints by managing local admin passwords. With Microsoft LAPS, you can ensure that all local admin passwords are unique and complex, and that they are changed at regular intervals. This helps to reduce the risk of unauthorized access to your systems and data.
Furthermore, I will also demonstrate the logging feature of Microsoft LAPS. With logging, you can keep track of password usage and detect any potential security breaches. By monitoring the audit logs, you can quickly identify any suspicious activity and take immediate action to prevent any damage to your systems.
Overall, implementing Microsoft LAPS is an essential step towards securing your endpoint and protecting your sensitive data. It is a powerful and easy-to-use tool that can significantly reduce the risks of cyber-attacks and unauthorized access.
Please note the minimum requirements for LAPS:
* For Windows 10 minimal 20H2 with April updates
* For Windows 11 minimal 21H2 with April updates
LAPS configuration
- Open https://portal.azure.com
- Open Azure Active Directory and open Devices
- Choose on the left-side of the screen Device Settings
- Enable Azure AD Local Administrator Password Solution (LAPS)
- Open https://intune.microsoft.com
- Open Devices – Endpoint Security – Account Protection and create new policy
- Platform Windows 10 and later Profile Local admin password solution (LAPS)
- Fill in a descriptive name such as “Baseline – Security – Enable LAPS For Built-in Administrator“
- Please add the settings as shown in the image below.
- Assign the policy
Enable Built-in Administrator Account
In addition to configuring the LAPS profile, we also need to ensure that the local administrator account is enabled. By default, this account is disabled on AAD-joined devices.
- Create a new configuration profile
- Platfrom Windows 10 and later – Templates – Custom
- Fill in a descriptive name such as “Baseline – Security – Enable Built-in Administrator“
- Name: Enable Local Administrator
OMA URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
Data type: Integer
Value: 1 - Assign the policy
Where to find your LAPS password?
- Open https://intune.microsoft.com
- Open Devices – Choose a device – Open Local Admin Password
- LAPS password is shown here
LAPS event logging
At the endpoint, you can view all events related to Microsoft LAPS in the event log.
- Open Event Viewer
- Open Microsoft – Windows – LAPS
LAPS audit logging
Now let’s take a look at what the audit log looks like from Intune’s perspective
- Open https://intune.microsoft.com
- Open Tenant administration – Audit logs
- Select the activity for more details
Thank you for taking the time to read my blog. Kindly share it with others if you find it helpful!
I used the enable local admin policy as you showed in the screenshots, Intune shows it deployed the policy successfully but the local admin account still not enabled. Intune definitely captured the password for thet local admin account should I be using .\administrator or azuread\administrator as the user name? both policies pushed but the administrator account still not active
Can you check in ‘Computer Management’ under ‘Local Users’ if the account is still disabled? For log-in you should use .\administrator