Manage Windows LAPS from Intune

Manage Windows LAPS from Intune

Aymen E. Aymen E.

Aymen E.

Team Lead | System Administrator | Powershell automation | M365 | Azure | Intune | Defender | SharePoint | NinjaOne | Veeam 365 | Trend XDR

发布日期: 2024年4月8日
+ 关注


What is LAPS ??

Windows Local Administrator Password Solution (LAPS) is a feature in Windows that helps manage and back up the password of a local administrator account on your Microsoft Entra ID joined devices or Windows Server Active Directory-joined devices.?


Benefits of Windows Local Administrator Password Solution??

  • Helps protect against pass-the-hash, as well as lateral traversal strikes.?
  • Helps keep your local administrator credentials unique.?
  • Allows you to sign in and recover devices that might not be accessible (network issue, etc.)?


Prerequisites?

  • Intune subscription – Microsoft Intune Plan 1 at a minimum (You will need this license to deploy a policy to the machine)?
  • Active Directory subscription – Azure Active Directory is free, and you can use all the features of LAPS with Microsoft Entra ID free.?


Where is Windows LAPS available??

  • Windows 11 22H2 – April 11, 2023, Update and later (Pro, EDU and Enterprise)?
  • Windows 11 21H2 – April 11, 2023, Update and later (Pro, EDU and Enterprise)?
  • Windows 10 – April 11, 2023, Update and later (Pro, EDU and Enterprise)?
  • Windows Server 2022 and Windows Server Core 2022 – April 11, 2023, Update and later?
  • Windows Server 2019 – April 11, 2023, Update and later?


I - Enable LAPS in Microsoft Entra ID Device Settings?

First, you want to make sure you enable Microsoft Entra ID Local Administrator Password Solution (LAPS) (Preview) inside of Microsoft Entra admin center with at least the Cloud Device Administrator role.?

Go to Microsoft Entra admin center > Browse to Identity on the left-hand panel> click on the Devices tab and then All devices > click on Device settings > Under Local administrator settings, select Yes to Enable Microsoft Entra ID Local Administrator Password Solution (LAPS) (Preview).?

II - Manage Windows LAPS with Intune

First, you want to make sure you at least have the Intune Administrator role to apply these changes inside of your Intune environment. Once you have that set up, let’s get this show on the road.?

Go to Microsoft Intune admin center > head to Endpoint Security > Account Protection > Click on + Create Policy > Set Windows 10 and later for the platform, then select Local admin password solution (Windows LAPS) (preview) for the Profile > Click Create.

  • On the Create Profile page on Basics, you can add a name for the profile. You can also add a description to the profile to give a brief summary and purpose for the policy.?

On Configuration settings, we will configure the settings we will apply to our Intune managed devices.?

Before we start pushing buttons and configuring our settings, let’s learn a little bit about what this all means on this page.?

  • Backup Directory – Here, we are going to tell the machine where to store the password. In my case, I want to back up the password to Microsoft Entra ID only.?

  • Password Age Days – In this section, we will set the password age of the local administrator before we rotate the password and store the new one in Microsoft Entra ID. In this case, the local administrator password will rotate after 30 days.?

  • Administrator Account Name – This setting allows you to specify the name of the managed local administrator account. If no name is specified it will use the built-in local administrator account located well-known SID.?
  • Password Complexity – This setting will allow us to control the complexity of the managed local administrator account. In my scenario we want to make it harder for our attackers, so we will set our complexity to use Large letters + small letters + numbers + special characters.?

  • Password Length – This setting will allow us to set the length for the managed local administrator account. Here by default when configured the password length is 14.?

  • Post Authentications Actions – This setting will be used to configure what happens to the password after someone has authenticated using the local administrator account. This means after the managed local administrator password is used, run the post actions. Here I told the Post Authentication Actions to Reset the password and logoff the managed account; upon expiry of the grace period (24 hours later), the managed account password will be reset.

  • Post Authentication Reset Delay – This setting is used to specify how long to wait after running the Post authentications actions. In my case I gave it a 24-hour grace period, after 24 hours it’s going to run the post authentication action.?

Finally, here is my configuration setting :

In the Assignments sections, you can assign this policy to a group, All users or All devices. I will select to apply this policy to All devices.?

领英推荐

In the Review + create section, double check your policy to make sure it fulfills your need before creating. If it looks good go ahead and click on Create.?

Let’s again trust but verify that our device has received these configurations. Let’s go into our Account Protection policy and check the report. I have an Intune managed device that is called CPC-01 and it looks like it has succeeded.?

Let’s go a little deeper and go to that device to verify locally that it has received those configurations. We can go to the registry editor and add this path to view what’s been written in the registry.?

Ordinateur\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\LAPS

Here we can see information :

  • Password Age Days where we set it to 30
  • Password complexity : 4 (Large letters + small letters + numbers + special characters)
  • Password length where we set it to 10
  • BackupDirectory value of 1 which is Microsoft Entra ID.?

III - How to View a Device’s Local Administrator Password?

There's two way to access the managed Local Administrator password :

  1. Microsoft Entra ID
  2. Microsoft Intune Portal.

Make sure to at least have one of the following built-in roles (Global Administrator, Cloud Administrator or Intune Administrator) to access that information.?

1 - Microsoft Entra ID admin center?

Go to Microsoft Entra admin center > Identity > Devices > All devices >?

Click on Local Administrator password recovery (Preview) >?

Click Show local administrator password on the device you want to retrieve the local administrator password for > Click on show to view Local administrator password.?

2 - Microsoft Intune admin center?

Go to Microsoft Intune admin center > Devices > Windows >

Click on your Windows device you want to retrieve the local administrator password for > select Local admin password.?

Click on Show local administrator password > click on Show to view Local administrator password.


IV - Change Windows LAPS password on demand

Go to Microsoft Intune admin center > Devices > All devices > Click on your device you want to change the LAPS password > go to the 3 dots > Rotate local admin password.?

Read the prompt and select Yes (At your own risk)?.

Success!


Thanks



Aymen EL JAZIRI

SYSADMIN

Himanshu Pawar

Sr.Consultant at Infosys

1 个月

How to get the report about how many devices have backup laps password in AAD?
回复
1 次回应
查看更多评论

要查看或添加评论,请登录

Aymen E.的更多文章

社区洞察

其他会员也浏览了