Blog Post

Microsoft Entra Blog

2 MIN READ

Windows Local Administrator Password Solution with Microsoft Entra ID now generally available!

Microsoft

Oct 23, 2023

Today we’re excited to announce the general availability of Windows Local Administrator Password Solution (LAPS) with Microsoft Entra ID and Microsoft Intune. This capability is available for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. It empowers every organization to protect and secure their local administrator account on Windows and mitigate any Pass-the-Hash (PtH) and lateral traversal type of attacks.

Since our public preview announcement in April 2023, we’ve continued to see significant growth in deployment and usage of Windows LAPS across thousands of customers and millions of devices. Thank you!

This feature is available on the following Windows OS platforms with the April 11, 2023, or later Windows Updates installed:

Windows 11 22H2
Windows 11 21H2
Windows 10 20H2, 21H2 and 22H2
Windows Server 2022
Windows Server 2019

To manage client-side configuration for Windows LAPS, you can use:

Windows LAPS Configuration Service Provider (CSP) for MDM managed Microsoft Entra joined/hybrid joined devices.
Windows LAPS Group Policy Object (GPO) for Microsoft Entra hybrid joined devices.

We’re continuing to add support for more features based on customer feedback. Today, you can enable the following: 

Turn on Windows LAPS using a tenant-wide policy and a client-side policy to backup local administrator password to Microsoft Entra ID.
Configure client-side policies via Microsoft Intune portal for local administrator password management to set account name, password age, length, complexity, manual password reset and so on. 
Recover stored passwords via Microsoft Entra/Microsoft Intune portal or Microsoft Graph API/PSH.
Enumerate all LAPS-enabled devices via Microsoft Entra portal or Microsoft Graph API/PSH.
Create Microsoft Entra ID role-based access control (RBAC) policies with custom roles and administrative units for authorization of password recovery.
View audit logs via Microsoft Entra portal or Microsoft Graph API/PSH to monitor password update and retrieval events.
Configure Conditional Access policies on directory roles that have the authorization of password recovery.

Features on the roadmap:

Automatic local administrator account creation when configured for Windows LAPS.
Device notifying Microsoft Entra ID when local administrator password is used for authentication.
JIT enabled self-service local administrator password recovery for a device owner.

As always, we'd love to hear your feedback, thoughts, and suggestions! Feel free to share with us on the Microsoft Entra ID forum or leave comments below. We look forward to hearing from you. 

Best regards,  
Sandeep Deo (@MsftSandeep)  
Principal Product Manager  
Microsoft Identity Division 

Learn more about Microsoft Entra:

Related Articles Windows LAPS in Microsoft Entra ID, Microsoft Intune support for Windows LAPS, Windows LAPS technical documentation, Windows LAPS CSP reference
See recent Microsoft Entra blogs
Dive into Microsoft Entra technical documentation

Updated Apr 17, 2024

Version 2.0

announcements and product news

Sandeep Deo

Microsoft

Joined July 25, 2017

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

29 Comments

Anonymous
Oct 25, 2023
JaySimmons even though the policy is rolled out on devices and devices are compliant, I do not see the password in devices > deviceid > local admin password. Have not checked Eventlog yet.
since ADPasswordEncryptionPrincipal is missing in Endpoint security > account security policy, do I assume correctly this one needs to be added via custom CSP policies and this AD (Entra AD synced) group need the correct permissions?
Anonymous
Oct 25, 2023
Deleted if your local Administrator is disabled, I believe it would take more efforts to misuse it for attacks. Some even rename this one for higher security. In your scenario, in case of unfortunate events how do you recover Bitlocker, uninstall CUs in WinRE locally?
Anonymous
Oct 25, 2023
Thank you JaySimmons for your helpful guidance. I believed the settings catalog remains as a central hub for all policies. Your screenshot helped me a lot.
Maybe Sandeep Deo would like to update his original post as it is not mentioning this place but just refer to CSP and GPO, instead of the configuration plane you showed where Windows LAPS configuration is much more accessible.

I am missing "ADPasswordEncryptionPrincipal" in the Endpoint Security > Account protection
Anonymous
Oct 25, 2023
Does all this is recommended even in a cloud only-scenario? All devices are signed to Entra ID and managed by Intune. Local admin and guest accounts are disabled.
Sandeep Deo
Microsoft
Oct 24, 2023
EventfulWahlgren We have integrated password recovery experience into Intune console and will work with Intune to get it added to the Intune for Education console.
JaySimmons
Microsoft
Oct 24, 2023
Deleted ,

I think you are looking at the legacy LAPS Intune settings - the old-vs-new naming conflict can cause confusion.

EDIT: you may have been already aware of this distinction, if so apologies and back to Sandeep Deo for your original request.

When you create an Intune policy for Windows LAPS, you should see something that looks like this:

Assuming your Intune mgmt portal looks the same as mine, you should be able to create a Windows LAPS policy via the following workflow:

Endpoint Security -> Account protection -> Create Policy -> set Platform to "Windows 10 and later" -> set Profile to "Local admin password solution (Windows LAPS".

Side note: the legacy LAPS Intune settings were managed via straightforward ADMX registry mappings, as opposed to an inbox CSP which is what Windows LAPS supports.

hth,

Jay
EventfulWahlgren
Brass Contributor
Oct 24, 2023
I'd love to see the ability to get the password integrated into Intune for Education. We use IfE with municipalities to make sure admins only have access to their students and devices, and the access to bitlocker keys has been beneficial, as I'm sure LAPS would be aswell if released.
Anonymous
Oct 24, 2023
another question:
for easier adoption, is it planned that CSP policies will be merged into settings catalog? This would be very helpful
https://learn.microsoft.com/windows/client-management/mdm/laps-csp

edit:

LAPS is in the settings catalog. Is this one complete or do we still need to tinker with CSP policies?

edit2: unfortunately, the settings catalog is incomplete and won't help to get Windows LAPS activated.
Sandeep Deo would you mind to ask internally, that the Windows LAPS settings will be included into settings catalog for easier configuration? Thank you very much in advance!
Karl-WE
MVP
Oct 24, 2023
Dear Sandeep Deo

thank you for this magnificient addition and work on Windows LAPS.

Some parts in regards of Windows Server are unclear to me and I hope you can shed some light.

It is true that Windows LAPS can either save secrets to Entra ID (GPO says Azure AD) and local AD DS.

The announcement of Merill reads like Entra ID is required. I understand that yours and Merill's announcement focus on Windows LAPS for Entra ID, but should differentiate that is also possible to use it on-premises only for Windows Server and, if one wants to also Windows Client.

I have few questions on the mentioned hybrid join or Entra only joined devices.

Q: What is the preferred procedere to join Windows Server to Entra ID only or Hybrid?

Asking because Windows Server Core (GUI less) doesn't offer dsregcmd, very unfortunately.
Q: can we bring dsregcmd to Windows Server Core for feature parity. It exist on the GUI variant?

Q: I could imagine that joining Windows Server through Azure Arc is enough to make it hybrid joined. Is it? How about Entra Only, is it possible?

Q: Does Windows LAPS work with Entra Directory Services (former Azure AD Domain Controllers)?