Securing Windows devices with complex passwords is essential to prevent unauthorized access and safeguard sensitive data. Complex passwords reduce the risk of cyberattacks by making it harder for attackers to guess or crack credentials. This strengthens overall security, protecting individual devices and networks from breaches, data theft, and other security threats.
Table of Contents
1.0 What is Windows LAPS?
Windows Local Administrator Password Solution (LAPS) is a security feature developed by Microsoft that helps in managing the local administrator passwords of computers joined to a Windows domain. It provides a centralized mechanism to store and manage passwords in Active Directory (AD), ensuring that each computer has a unique, complex password that is regularly updated.
2.0 Windows LAPS Capabilities:
- Automated Password Management: LAPS automatically generates complex passwords for local administrator accounts and updates them at regular intervals.
- Secure Storage: The passwords are stored securely in Active Directory, ensuring that only authorized users and systems can access them.
- Role-Based Access Control: Using AD permissions, administrators can control who can read or reset the local administrator passwords.
- Event Logging: LAPS logs events related to password changes and access, providing an audit trail for security and compliance purposes.
3.0 How to enable Windows LAPS in Intune
Following steps will help you to implement Windows LAPS via Intune and trace configuration deliver to targeted windows devices.
3.1 Create a Configuration Profile
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Navigate to Devices > Windows > Configuration profiles.
3. Click on Create profile.
4. Select Windows 10 and later as the platform and Settings Catalog.
5. Click on Create.
6. Search for these attributes to enable local account with name (as you want)
7. Assign Profile to needed user or device groups.
3.2 Create Account Protection Policy to control Local Admin Password Settings
1. Navigate to Endpoint Protection > Account Protection > Windows 10 and Later.
2. Select “Local Admin Password Solution” and click create.
3. This is an example for Password Control from Intune
– Password Backup securely to Azure
– Password reset every X days
– Password Complexity and length configured as per organization needs.
4. Assign the Policy to the same user or device group assigned in Step 1.
3.3 Enable LAPS on Azure Active Directory:
- Open Portal.Azure.com and select from Azure Active Directory All Devices.
- Under Device Settings you MUST enable “Enable Microsoft Entra Local Administrator Password Solution (LAPS)”
3.4 Tracing Configuration:
1- Under Managed Device > Event Logs > Application and Services > Windows > LAPS you can see Password is automatically created Event ID 10020
2- To View the Local Account Password you MUST be assigned to one of these Roles “Cloud Device Administrator, Intune Administrator, Helpdesk Administrator, Security Administrator”
You can access Intune Portal > Devices > Device XYZ > Local Admin Password Then Show
3- To Rotate (Change) the LAPS Password you MUST be assigned to these permissions:
Managed devices: Read
Organization: Read
Remote tasks: Rotate Local Admin Password
Rotation by accessing Device XYZ from Intune Portal > from Remote Actions select “Rotate Local Admin Password”
Event IDs will be generated in the below sequence:
1- Event 10050 > Rotation request delivered to the device
2- Event 10030 > Device is updating the new password as per Complexity and length configured
3- Event 10029 > New Password successfully generated and updated securely on Azure
4- Event 10020 > Process completed successfully
Conclusion
Windows LAPS is a powerful tool for enhancing the security of local administrator accounts on domain-joined computers. By automating password management and leveraging the robust features of Active Directory, LAPS reduces the risk of administrative account compromise. Enabling LAPS via Microsoft Intune is a straightforward process that integrates seamlessly with your existing device management framework. By following the steps outlined in this article, you can ensure that your organization is better protected against cybersecurity threats.
Check more of our articles on IntuneBytes
Leave a Reply