Local administrator passwords are a silent security risk in many IT environments. In the hustle and bustle of day-to-day business — or because IT departments simply don't care — it is often overlooked that identical or never rotated passwords are active on numerous Windows devices — an open gateway for attacks with the potential to escalate. Although solutions such as LAPS have existed for years, many IT departments shy away from complex configurations or lack of cloud integration. With the development of Windows LAPS and native support in Microsoft Intune, the playing field is changing — and opening the door for modern, scalable protection of local admin rights.
The most important things in brief
- Windows LAPS enables automated, secure management of local admin passwords — natively integrated on modern Windows versions from April 2023.
- About Microsoft Intune LAPS policies can be configured centrally and applied to devices — even for Entra ID-bound clients.
- The setup requires a custom admin account and, if applicable, a Schema extension with Active Directory in hybrid environments.
- The classic Microsoft LAPS (Legacy) is still supported, but cannot be combined with Windows LAPS and is blocked on new systems.
Manage local admin passwords automatically and securely? We implement Windows LAPS in Intune for you — GDPR-compliant and reliable.
1. Introduction to Windows LAPS
Windows LAPS (Local Administrator Password Solution) is Microsoft's answer to a long-underrated problem: the secure management of local administrator passwords on Windows devices. The aim is to generate a unique, regularly changing password for each device and store this encrypted in a central directory — be it in Active Directory or Entra ID.
The advantage is obvious: Even if a single device is compromised, the damage remains isolated. No more comprehensive access through a universal admin password, no more manual resets by help desk employees, no lists of shared login details in any Excel files.
With the modern LAPS approach combined with Microsoft Intune These security mechanisms can be implemented in a cloud-based and automated manner — without the classic, more complex group policy infrastructure. This makes the solution particularly attractive for companies that rely on Microsoft 365 and modern workplace concepts.
2. Implementation Requirements
Before you set up Windows LAPS using Microsoft Intune, you must ensure that your environment meets all basic requirements. If certain conditions are missing, unexpected behavior or ineffective guidelines may occur.
license requirements
Windows LAPS is included as standard from certain versions of Windows and does not require an additional license. However, administration via Intune requires appropriate Microsoft Intune licenses, such as those included in Microsoft 365 E3/E5 or Enterprise Mobility + Security E3/E5. If passwords are to be stored in the cloud, an additional Entra ID P1 or P2 license required.
Supported Windows Versions
The modern Windows LAPS integration — i.e. the cloud-enabled version with Intune support — is fully supported from the following versions:
- Windows 11 23H2 and all subsequent Windows client releases
- Windows 11 22H2 From Update from April 11, 2023
- Windows 11 21H2 From Update from April 11, 2023
- Windows 10 From Update from April 11, 2023
- Windows Server 23H2 and all subsequent Windows server releases
- Windows Server 2022 From Update from April 11, 2023
- Windows Server 2019 From Update from April 11, 2023
Devices that do not meet these minimum requirements may not be able to correctly process LAPS policies or secure passwords.
{{laps=” /dev/components "}}
Active Directory and Entra ID support
Windows LAPS can use passwords either locally Active Directory or in Entra ID Save (formerly Azure AD). In hybrid scenarios — i.e. for devices that are connected to both AD and Entra ID — a schema extension of the local Active Directory is necessary in advance. This is done using the PowerShell command: Update-lapSadSchema. For pure Azure AD environments, this step is not required.
Create a custom administrator account
Windows LAPS does not create its own administrator account. The solution expects one to already exist — with the name specified in the policy. If this is not the case, password management fails. Therefore, in advance, a custom local administrator account be created. This can be done either via a PowerShell script in the Intune context or via a group policy.
3. Set up Windows LAPS with Microsoft Intune
The integration of Windows LAPS with Microsoft Intune provides centralized, cloud-based control of local administrator passwords — without classic GPOs or additional tools. The setup process is divided into three key steps: create a policy, configure settings, and assign devices.
Create a LAPS policy in Intune
In the Intune admin console, at Endpoint Security > Account protection the option to create a new LAPS policy ready. “Windows 10 and higher” is selected as the platform, and configuration can then begin.
Configuring policy settings
Central parameters can be set in the policy editor:
- backup directory: Either Active Directory, Entra ID or no storage. Entra ID is recommended for cloud-based environments.
- password age: Indicates how often the password is automatically changed. An interval of 30 days is considered a safe standard.
- password complexity: Defines the length and composition of the password (uppercase/lowercase letters, special characters, numbers).
- Administrator account name: Optionally, the local admin to be managed can be named to deviate from standard names such as “administrator.”
Assigning the policy to devices
The finished guideline is then passed on to one or more device groups assigned. As soon as the affected endpoints receive the configuration, LAPS becomes active and starts managing administrative passwords.
4. Managing LAPS passwords
As soon as Windows LAPS is active, the system automatically manages local administrator passwords — including rotation, storage, and logging. For administrators, this provides new opportunities for insight and control, but also clear responsibilities when dealing with sensitive information.
View account and password details
The saved passwords can be stored centrally via Microsoft Intune admin console view. Under Devices > [device name] > Local administrator account The current password is displayed, including the expiration date and change history. Access is restricted and logged based on roles — a decisive security advantage over conventional solutions.
Reset passwords manually
In addition to automatic rotation, it is also possible to reset passwords manually. This may be necessary, for example, in the event of an incident or when a device is removed from the life cycle. The “Reset” option immediately initiates a new generation of the password on the device in question.
Configure automatic password rotation
The automatic rotation cycle is defined by the Intune policy. A regular change — ideally every 30 days or every time you log in — ensures that compromised login data is only of limited value. The rotation takes place in the background and requires no user access.
5. Best practices and common bug fixes
The productive use of Windows LAPS in combination with Intune not only has advantages, but also pitfalls — particularly in hybrid or heterogeneous IT environments. A clean rollout and continuous monitoring are crucial for the sustainable success of the solution.
Avoiding policy conflicts
A common mistake occurs when there are multiple sources of configuration — such as an old group policy that works in parallel with an Intune policy. To avoid conflicts, it should be ensured that only modern LAPS configurations are used. Legacy LAPs should be deactivated as soon as the new variant is active.
Ensuring device compatibility
Not all devices fully support LAPS — especially when there is a lack of recent updates. An automated compliance check before policy assignment helps identify incompatible systems in advance. In addition, event logs and Intune reports should be checked regularly during the pilot phase.
Recommended safety measures
Access to LAPS passwords should be strictly role-based — ideally via Privileged Identity Management (PIM) in Entra ID. In addition, it is recommended to activate audit logs in order to comprehensibly log all accesses. Choosing an individual, non-standard admin account name also contributes to security.
{{cta-box=” /dev/components "}}
6. Conclusion
Windows LAPS in conjunction with Microsoft Intune creates a modern, scalable solution to one of the oldest security problems in the Windows environment: improper management of local administrator passwords. The combination of automatic rotation, central storage and granular access control effectively mitigates a significant point of attack.
Especially in cloud-first or hybrid environments, integration with Intune offers a clear advantage over classic GPO-based methods. The key to success lies not only in technical implementation, but also in a well-thought-out rollout strategy, clear responsibilities and consistent monitoring.
If you use LAPS correctly, you lay the foundation for a more secure and efficient endpoint infrastructure — and at the same time reduce operational costs in everyday IT life.
Since 2011, Thore has focused exclusively on endpoint management and endpoint security topics. Initially focused on software packaging and software distribution with Microsoft MECM/SCCM and Ivanti DSM, he is now a sought-after interlocutor when it comes to unified endpoint management, system hardening, patch management and endpoint protection. The focus is in particular on the Microsoft technologies Intune, Configuration Manager, Entra and Defender. Thore is co-founder of the “Endpoint Management” expert group at IAMCP e.V.
Jahre Erfarung
Verwaltete Endgeräte
