Intune - Windows LAPS and Azure AD
Is it really true, or is it all a dream? - One of the most anticipated and sought-after features within the device management space has finally arrived, Windows LAPS is here! - A completely revamped version of its predecessor, the dearly-beloved and original on-premises Microsoft Local Administrator Password Solution, which unfortunately, didn't stand the test of time.
So, what's all the fuss about? Well, first and foremost, Windows LAPS is natively built into the Windows operating system, meaning no more dedicated application, a much-welcomed addition indeed. The primary benefit, however, arrives in the form of full support for Microsoft cloud technologies, such as Azure Active Directory (Yes, Azure!) and Intune. That's right, we now have a LAPS solution that supports "over the air" configuration, management, and deployment, with support for cloud-joined (Azure AD) devices.
If you're new to LAPS and this is your first experience with such a solution, its concept remains simple, yet its functionality is pivotal. For those newcomers, here's a quick summary of what the technology can offer: - LAPS enables IT Administrators to configure, secure, and protect the password associated with a pre-determined local administrator account across the endpoint estate. This admin account can arrive in the form of the standard and built-in Windows "administrator" account, or it can be a custom-created one. The management capabilities of the local admin password extend to the automatic & manual rotation of generated passwords, and the backing up of credentials to Active Directory or Azure Active Directory. Key benefits are that no one password will be the same across the endpoint estate, and additionally, the passwords will change on a defined schedule. These generated and rotated passwords are then inventoried and made accessible to IT Administrators alike, ready for when local elevation is required. LAPS empowers IT teams to employ local administrator accounts with increased confidence, knowing that each device will have a unique admin password. This solution also proves useful where endpoint recovery is concerned, where a local administrator account may have been previously set and forgotten, but with LAPS, can be later retrieved from the Directory backup capability.
Let's jump into LAPS: -
Windows 10 20H2 and later (April 11, 2023 security updates)
Windows 11 21H2 and later (April 11, 2023 security updates)
Azure AD Join
Hybrid Azure AD join
Enable Windows LAPS
The first step is to enable the Windows LAPS feature at the tenant level. This is simply a case of toggling a switch within the Azure Active Directory portal, specifically within the Azure AD - Devices - Device Settings blade. The setting of interest is called "Enable Azure AD Local Administrator Password Solution (LAPS)".
Create an Intune Windows LAPS policy
Once the feature has been enabled at the tenant level, it's now time to define, create, and deploy the Windows LAPS policy using Intune.
1. Within the Intune blade, browse to Endpoint Security - Account Protection.
2. Create a new Account protection policy using the "Local admin password solution (Windows LAPS)" profile option.
3. Name the new policy according to preference, and then proceed to the "Configuration settings" tab.
4. Within the "Configuration settings" tab, configure the various Windows LAPS settings according to requirements & preferences. Please find a summary of each configuration item below the screenshot to aid decision-making.
Backup Directory: This setting determines which directory the local administrator password will be backed up to. The available options are to disable the backing up of passwords (not recommended) or to backup the passwords to Azure Active Directory only, or to Active Directory only. If an option is not selected here, the default configuration is to disable password backup.
Password Age Days: This configuration item specifies the frequency for the next scheduled rotation of the local administrator password. With Azure AD Join backup enabled, the minimum accepted value is 7 Days (AD offers a 1-day minimum). If an option is not selected here, the default configuration state implies 30 days. The maximum accepted value is 365 days.
Administrator Account Name: This setting establishes the name of the local administrator account to be associated with the LAPS configuration & password rotation, i.e., the administrator account to be managed. If an account is not specified, the default and built-in local administrator account will be identified via its well-known SID and managed thereafter. If a custom local administrator account has been opted for, please note that this account must be already present and/or created on the endpoints via other means. Entering a custom administrator account name here will not create an account automatically on the endpoint. Please note that best practices suggest that the default and built-in administrator account should not be used, so a custom administrator account may be preferred. However, if the built-in administrator account is to be leveraged, please bear in mind that the default status for this account is disabled, so you'd have to enable the account via other means first. To clarify, at the time of writing, LAPS will not enable any accounts or create any accounts on a device, these actions must be performed via other means such as PowerShell or CSP (OMA-URI)
Password Complexity: This configuration item determines the complexity requirements for the generated passwords assigned to the managed local administrator account. The available options are combinations of the following items: - Large letters, small letters, numbers, and special characters. Best practices imply that the most complex option should be opted for unless requirements dictate otherwise.
Password Length: This setting defines the password length for the managed local administrator account. If a password length is not specified, the default state is 14 characters. The minimum accepted value is 8 characters, with a maximum of 64 characters.
Post Authentication Actions: This configuration item defines what should happen after successful authentication using the managed administrator account, specifically once the expiration duration (Post Authentication Post Delay) setting (below) has been fulfilled. The available options are to reset/rotate the LAPS password only, reset the password and logoff the managed account, or reset the password and reboot the endpoint. If an action is not defined, the default state is to reset the password and log off.
Post Authentication Reset Delay: This setting defines how long to wait after successful authentication using the managed administrator account, before executing the chosen action in the "Post Authentication Action" setting (above). This setting essentially reflects the duration of the local administrator session before it expires. The value should be entered in hours. The default state is 24 hours, which is also the maximum accepted value. Please note that a value of 0 hours will disable any post-authentication actions.
5. Once all settings have been defined, proceed through the "Scope tags" and "Assignment" tabs, scoping and assigning the policy to groups of users / devices according to requirements.
The deployment of the Windows LAPS policy can be monitored in much the same manner as any other configuration profile, policy, or application deployment within Intune: -
On the client side, we can track the LAPS deployment via Event Viewer, specifically Applications and Services logs - Microsoft - Windows - LAPS - Operational.
Reviewing Event ID 10022, we can confirm that the local LAPS service on the endpoint has been configured accordingly with the settings we previously defined within our Intune policy.
Retrieving a LAPS password
Now that we've configured, assigned, and confirmed the deployment of Windows LAPS, it's time to verify our implementation by retrieving a generated local admin account password for an in-scope endpoint.
From the Intune blade, browse to All Devices, and then identify and open the device in question.
Within the devices page, select the "Local admin password" tab and then click on the "Show local administrator password" entry - A fly-out window will appear on the right-hand side. Within this pane, you can view the managed local administrator account's name, retrieve the account's current password, and review other useful information such as the last rotation and next rotation date and timestamps.
Intune aside, you can also retrieve this same information via the device entry within Azure AD - Devices.
Please note that IT Administrators must have the correct permissions assigned to view the above LAPS information for an endpoint, otherwise, they will not be able to view any associated metrics or retrieve passwords. Password retrieval is controlled by the deviceLocalCredentials.Read.All permission, which is natively in-scope for the following roles: - Global Admin, Cloud Device Admin, and Intune Admin.
Manually rotating a LAPS password
LAPS passwords will automatically reset & rotate according to the settings we have defined in the Windows LAPS policy, however, there may be an occasional requirement to rotate a device's LAPS password outside of that schedule. We can perform ad-hoc rotations of LAPS passwords via the Intune portal, specifically via device actions: -
The ability to rotate a LAPS password on an ad-hoc and manual basis is controlled via the following RBAC - Remote Tasks permission within Intune: -
Password rotations can be tracked and verified locally via the endpoints Event Viewer logs - Applications and Services logs - Microsoft - Windows - LAPS - Operational, specifically Event ID 10020.
Azure AD Audit Logs
When using Intune policies to manage Windows LAPS, as we have today, the following events are audited and logged within Azure Active Directory - Audit Logs: -
Automatic password rotation managed by a policy.
Manual password rotation through a device action.
Requests to view the password for an account.
An example of an Audit log entry for Windows LAPS is illustrated below, where a manual password rotation was requested through a device action.