Blog Post

Core Infrastructure and Security Blog
2 MIN READ

The Twelve Days of Blog-mas: No.3 - Windows Local Admin Password Solution (LAPS)

MichaelHildebrand's avatar
Nov 30, 2023

Buenos días and welcome to número tres in the holiday '23 series. 

 

This one is sure to please the crowd – it’s the NEW AND IMPROVED easy to setup/deploy/use solution for when IT Ops/Support needs a local admin ID and password to perform some management task(s) on a Windows endpoint. 

 

As many people know, we have long-had a popular solution for this - but now it's been updated to work on-prem or in the cloud and has a robust set of features:

  • Secure storage of the password value in on-prem AD or Entra ID
  • Manage the built in Administrator account or a custom local account
  • PowerShell support
  • Auditing in the cloud and on the endpoint (it even has its very own event log)
  • Automatic password rotation after use
  • .... and more

From the Entra ID portal > Devices > Device Settings blade, enable the capability:

 

From the Intune portal > Endpoint Security > Account Protection node, create a new Policy for the Windows endpoints, based on the Windows LAPS template there:

 

Name the Policy, add a description, select/define your settings; target the desired devices and save the Policy:

 

Once the targeted devices apply the policy, you’ll have the ability to obtain the local account’s “managed” password from the device’s page either in the Entra portal or the Intune portal:

  • NOTE: the dialog box lists the Account name and Security ID (SID) – this one is using the built-in local Administrator account (note, the well-known ‘500’ SID)

 

Audit – Recovery/retrieval of the local account password (from the Entra ID Audit logs, not Intune Audit logs - FYI):

 

Audit – Update the local account password (from the Entra ID Audit logs, not Intune Audit logs - FYI):

 

 

Audit – Local Event Log from the managed endpoint:

 

IMPORTANT – this process is for password management only – THIS WILL NOT CREATE NOR ENABLE/DISABLE A LOCAL ID.  And remember, the built-in Administrator account is usually disabled (by OS defaults).  You’ve been warned.

 

For more information:

A series recap (so far):

  1. The Twelve Days of Blog-mas: No.1 - A Creative Use for Intune Remediations - Microsoft Community Hub
  2. The Twelve Days of Blog-mas: No.2 - Windows Web Sign in and Passwordless - Microsoft Community Hub

Adiós until mañana

 

Hilde

 

Updated Dec 06, 2023
Version 4.0
No CommentsBe the first to comment