How to Set Up Windows LAPS with Microsoft Intune for Enhanced Security

What is Windows LAPS and why should you implement it with Microsoft Intune?

Windows Local Administrator Password Solution (LAPS) is a critical security feature that automatically manages local administrator passwords across your Windows devices. Instead of using the same local admin password on every machine (a massive security risk), LAPS generates unique, complex passwords for each device and rotates them regularly.

When integrated with Microsoft Intune, LAPS becomes even more powerful. Your passwords are securely backed up to Microsoft Entra ID (formerly Azure AD), and you can manage the entire solution through cloud-based policies. This eliminates the need for on-premises infrastructure while providing enterprise-grade security for your local administrator accounts.

Let me walk you through the complete setup process. I've deployed this configuration dozens of times, and I'll share the exact steps, common pitfalls, and pro tips that will save you hours of troubleshooting.

How do you enable Windows LAPS at the tenant level in Microsoft Entra ID?

The first step is enabling LAPS tenant-wide in Microsoft Entra ID. This is a global setting that affects all devices in your organization, so we need to be careful here.

Sign in to the Microsoft Entra admin center at https://portal.azure.com using an account with Cloud Device Administrator or Global Administrator permissions. Navigate to Identity > Devices > Overview > Device settings.

Look for the setting Enable Local Administrator Password Solution (LAPS) and set it to Yes. Click Save to apply the changes.

The setting takes effect immediately, but devices will only start using LAPS once you deploy the actual policies through Intune. This gives you control over the rollout pace.

Why do you need to enable the built-in administrator account for Windows LAPS?

Here's something that catches many administrators off guard: Windows LAPS requires the built-in administrator account to be enabled, but this account is disabled by default on most modern Windows installations. Without enabling it first, your LAPS policies will deploy successfully but won't actually manage any passwords.

We'll create an Intune configuration profile to enable this account across your target devices. Sign in to the Microsoft Intune admin center at https://intune.microsoft.com and navigate to Devices > Configuration profiles > Create profile.

Configure the profile with these settings:

• Platform: Windows 10 and later
• Profile type: Settings catalog

In the Basics tab, enter a descriptive name like "Enable Built-in Administrator for LAPS" and add a clear description explaining the purpose.

In the Configuration settings tab, click Add settings and search for "Local Policies Security Options". Select Accounts: Administrator account status and set it to Enabled.

For assignments, start with a pilot group of test devices. I always recommend testing LAPS on a small group first to validate everything works as expected before rolling out to production.

After creating the profile, monitor its deployment status in the Intune admin center. You can verify the policy worked by running net user administrator on a target device - the account should show as "Active: Yes".

How do you configure the main Windows LAPS policy in Microsoft Intune?

Now we get to the heart of the configuration - creating the actual LAPS policy that defines how passwords are generated, rotated, and stored. This is where you'll spend most of your time fine-tuning the settings for your organization's security requirements.

In the Intune admin center, go to Endpoint security > Account protection > Create Policy. Select Platform: Windows 10 and later and Profile: Local admin password solution (Windows LAPS).

Here are the configuration settings I recommend based on years of real-world deployments:

The post-authentication settings deserve special attention. When enabled, LAPS will automatically reset the administrator password after it's used for authentication. The reset delay gives you a grace period to complete your administrative tasks before the password changes.

For assignments, start with your pilot device group. I typically run pilot deployments for at least a week to identify any issues before expanding to production devices.

How do you verify Windows LAPS is working correctly on target devices?

Verification is crucial - you need to confirm that LAPS is actually working on your devices, not just that the policies deployed successfully. I've seen too many deployments where administrators assumed everything was working based on policy status alone.

On a target Windows device, open PowerShell as an administrator and run these diagnostic commands:

# Check LAPS registry settings - this shows if the policy was received
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS"

# Verify LAPS service status - should be running
Get-Service -Name "LAPS" -ErrorAction SilentlyContinue

# Check LAPS event logs for activity
Get-WinEvent -LogName "Application" | Where-Object {$_.ProviderName -eq "Microsoft-Windows-LAPS"} | Select-Object -First 10

# Force device sync with Intune to ensure latest policies
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Check device registration status with Azure AD
dsregcmd /status

The registry check should show your policy settings populated. Look for entries like PasswordAgeDays, PasswordComplexity, and BackupDirectory that match your Intune policy configuration.

For the administrator account verification, run:

net user administrator

You should see "Account active: Yes" in the output. If it shows as disabled, your administrator enablement policy hasn't applied yet.

The event logs are particularly valuable for troubleshooting. LAPS writes detailed information about password changes, policy application, and any errors encountered during the process.

How do you configure secure password retrieval permissions for Windows LAPS?

LAPS passwords are extremely sensitive - they provide full administrative access to your devices. You need to carefully control who can retrieve these passwords and regularly audit access.

In the Microsoft Entra admin center, navigate to Identity > Roles and administrators. The built-in Cloud Device Administrator role includes LAPS password retrieval permissions, but you might want more granular control.

For custom permissions, create a role with these specific rights:

{
  "microsoft.directory/devices/localCredentials/read": true,
  "microsoft.directory/devices/read": true
}

To retrieve passwords, authorized users can:

1. Access the Microsoft Entra admin center
2. Navigate to Identity > Devices > All devices
3. Select the target device
4. Click Local Administrator Password to view the current password

The password retrieval interface shows the current password and when it will next rotate. This information is logged for audit purposes, so you have a complete trail of who accessed which passwords and when.

Consider implementing additional controls like Privileged Identity Management (PIM) for LAPS password access, especially in high-security environments. This adds just-in-time access and approval workflows for password retrieval.

What are the most common Windows LAPS deployment issues and how do you troubleshoot them?

Even with careful planning, LAPS deployments can encounter issues. Here are the problems I see most frequently and how to resolve them quickly.

Monitor your deployment status in the Intune admin center by going to Endpoint security > Account protection, selecting your LAPS policy, and clicking Device status. This shows you which devices successfully received the policy and which ones failed.

Here's my troubleshooting matrix for common issues:

For advanced troubleshooting, use these PowerShell commands:

# Check detailed device registration status
dsregcmd /status | Select-String -Pattern "AzureAdJoined|DomainJoined|WorkplaceJoined"

# Verify Intune management extension is running
Get-Process -Name "Microsoft.Management.Services.IntuneWindowsAgent" -ErrorAction SilentlyContinue

# Examine complete LAPS registry configuration
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" -Recurse

# Check Windows Update status (LAPS requires current updates)
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

One issue that frequently catches people is the Windows version requirement. LAPS requires Windows 10 version 20H2 (build 19042) or later. Older devices will simply ignore the policy without generating obvious error messages.

For devices that aren't receiving policies, the most common cause is Intune enrollment issues. Use the Company Portal app to check enrollment status and re-enroll if necessary. Sometimes a simple device restart after policy deployment resolves sync issues.

Remember that LAPS password rotation happens on schedule, not immediately after policy deployment. Don't panic if you don't see password changes right away - check the configured rotation interval and wait for the next scheduled rotation.

How do you monitor and maintain your Windows LAPS deployment long-term?

A successful LAPS deployment requires ongoing monitoring and maintenance. You need visibility into password rotations, policy compliance, and potential security issues.

Set up regular monitoring of these key metrics:

• Policy deployment success rates across device groups
• Password rotation frequency and any failed rotations
• Administrator account usage patterns
• Password retrieval audit logs
• Device compliance with LAPS requirements

Create automated reports using Microsoft Graph API to track LAPS status across your environment:

# Example PowerShell to check LAPS status via Graph API
$devices = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/devices" -Method GET
$lapsDevices = $devices.value | Where-Object {$_.operatingSystem -eq "Windows"}

foreach ($device in $lapsDevices) {
    $lapsInfo = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/devices/$($device.id)/localCredentials" -Method GET
    # Process LAPS information for reporting
}

Plan for these ongoing maintenance tasks:

• Quarterly access reviews: Verify who has LAPS password retrieval permissions
• Monthly policy compliance checks: Identify devices that aren't receiving LAPS policies
• Regular password rotation validation: Confirm passwords are rotating according to schedule
• Annual security assessment: Review password complexity and rotation frequency requirements

Document your LAPS configuration and create runbooks for common administrative tasks. Include procedures for emergency password retrieval, troubleshooting failed rotations, and onboarding new devices.

Your Windows LAPS deployment is successful when devices consistently show "Succeeded" status in Intune, passwords rotate according to your defined schedule, and authorized users can reliably retrieve passwords when needed. With proper monitoring and maintenance, LAPS provides robust security for your local administrator accounts with minimal ongoing overhead.