What is Windows LAPS

Windows LAPS is a Microsoft solution that automates the management of local administrator account passwords across devices. The core functionality of LAPS ensures that each device’s local administrator account has a unique, randomly generated password that is regularly rotated. The password is securely stored in Entra ID, reducing the risk of unauthorized access and ensuring compliance with security standards.

By integrating Windows LAPS with Intune, organizations can extend this functionality to their cloud-based environments, such as physical or Windows 365 Cloud PCs, which do not have the same traditional Active Directory infrastructure.

Configuring LAPS

This post will especialy show you how to configure Windows LAPS and which settings you need to configure. So lets dive into configuring it.

As usual we start in the Intune portal and for this policy in the Endpoint protection blade with the Account protection view opened. Create a new policy:

The policy needs to be from the Local admin password solution (Windows LAPS) type:

Define a Name and Description as you like:

Next we need to configure where to store the Password, when it should rotate, how complex it might be and when it should be changed. I usually pick a configuration like this one here:

🛈 HINT If you have devices like for example Windows 365 Cloud PCs where the local Administrator has a different name, make sure to enable Administrator Account Name and change it to the name that the account has on your systems. On Windows 365 systems for example Microsoft changed the name to BuildInAdmin and if you dont match this to your policy it will look for Administrator but as it cannot be found under this name the policy will fail to apply. Just keep it in mind :)

Lastly assign it to a device group and wait for the devices to sync, apply the policy and then the password will be written back into its Entra ID device account. You can read LAPS passwords from Entra ID, Intune or MS Graph API.

Why Use Windows LAPS?

Windows LAPS gives you an alternative way to administrate devices. In an best case scenario you have administrative accounts with local admin permissions in your envrionment but if for some reason the device has no network connectivity or a network driver is broken you still can use LAPS as this uses the local and build-in Administrator account. So in my opinion this is a great tool for emergency scenarios where you cannot use a cloud account to troubleshoot a device locally.

Conclusion: A Game-Changer for Troubleshooting and Support

Windows LAPS managed via Intune for Windows PCs is a smart and practical solution for any organization looking to tighten security while maintaining efficiency. It is especially valuable during troubleshooting or support scenarios where immediate access to a PC’s local administrator account is critical. Whether you are handling an urgent support case or an emergency repair, Windows LAPS ensures that IT administrators can access the necessary local admin credentials safely and efficiently—without compromising on security.

With Windows LAPS and Intune, you have a streamlined, secure way to manage local administrator accounts across all your Windows devices. It’s an essential tool for modern IT operations, providing peace of mind in times when quick access and secure management are a must.