Local Admin Password System (LAPS)

Tags intune LAPS

Using Windows LAPS with UA workstations via Intune

Windows Local Administrator Password System (LAPS) will allow you to have a secure controlled password for a local administrator account. Due to the built-in “Administrator” account having a known SID we will be using an account named “Admin” as our standard. In the event that the workstation does not have an Admin account, such as when it is deployed via Autopilot, then the Intune remediation script will detect this and create a new Admin account with a randomized password for the LAPS system to take over and administer. During the first phases of our deployment we will focus on workstations, with servers added to the system at a later date.

Windows LAPS supported platforms

  • Windows LAPS is now available on the following OS platforms with the specified update or later installed:
  • Windows 11 22H2 - April 11 2023 Update
  • Windows 11 21H2 - April 11 2023 Update
  • Windows 10 - April 11 2023 Update
  • Windows Server 2022 - April 11 2023 Update
  • Windows Server 2019 - April 11 2023 Update

Additional Information can be found here: Windows LAPS overview | Microsoft Learn

Implementation Requirements

Before assigning the necessary security and configuration profiles please contact the Intune Administrators to get the necessary Azure Administrative Unit setup and configured, otherwise you will be unable to elevate to the proper role to view the passwords.

Using LAPS to retrieve and login with an Admin password

In order to view LAPS passwords, Bitlocker keys, or perform other functions on your departmental devices you will need to elevate to the Cloud Device Administrator role for your department’s Azure Administrative Unit.

  1. Open the My Roles tab in Privileged Identity Management console. My roles - Microsoft Azure
  2. Click “Activate” next to the Administrative Unit you are managing. This activation will only last for 1 hour at a time.

Screenshot of Azure My Roles

  1. Once the role is active, go to the Intune or Microsoft Entra Admin Center and select the device you want to retrieve the Admin password for
  2. Click the Local Admin Password blade and the “Show local administrator password” link to view it.

Local Admin password panel

LAP password screenshot  LAP Password Screenshot 2

Once a password has been logged in with it will start a timer and after 8 hours the account will be logged off and the password rotated.

Print Article