🔐 Lock Down Local Admins: Deploy Windows LAPS with Intune (Using Built-In Administrator)
Local admin accounts are a necessary evil. You don’t want them—but when you need them, they better be secure and accessible.
Windows LAPS (Local Administrator Password Solution) gives you a secure, automated way to manage the built-in Administrator account across your Windows fleet. With Intune, you can deploy LAPS at scale, back up passwords to Entra ID (Azure AD), and reduce risk—all without creating custom local accounts.
💡 What Is Windows LAPS?
LAPS rotates and stores a unique, random password for each endpoint’s local Administrator account. That password is backed up securely in Entra ID, accessible only to authorized IT staff.
LAPS ensures:
- No shared passwords across machines
- No static passwords for years
- A secure and auditable way to retrieve credentials when needed
🚨 Why Every Business Should Use It
Without LAPS:
- If an attacker cracks the local admin password on one device, they likely own them all
- You’re stuck manually managing passwords
- You’re probably violating security best practices (and maybe compliance requirements too)
🛠️ Step-by-Step: Deploying LAPS with Intune (Built-In Admin Method)
✅ Requirements
- Windows 10 20H2+ or Windows 11
- Devices must be Entra-joined or hybrid-joined
- LAPS support enabled in your tenant (it’s built into modern Windows)
- Admin permissions in Microsoft Intune and Entra ID
🧼 Step 1: Make Sure the Built-In Administrator Account is Enabled
By default, the built-in Administrator account is disabled in most environments—including Azure AD-joined machines. If it’s disabled, LAPS won’t be able to rotate or apply the password.
You can enable it using Intune Proactive Remediation or a PowerShell script.
Example PowerShell Script:
powershellCopyEditnet user Administrator /active:yes
Deploy this via:
Intune → Devices → Scripts → Add → Windows 10 and later → Upload PowerShell script
⚠️ Make sure your environment doesn’t have GPO or other policies that automatically disable this account again.
🔐 Step 2: Create and Deploy the LAPS Policy
Go to:
Endpoint Security → Account Protection → Create Policy
- Platform: Windows 10 and later
- Profile: Local admin password solution (Windows LAPS)
Configure settings:
| Setting | Value |
|---|---|
| Backup Directory | Azure AD |
| Password Age | 30 days |
| Administrator Account Name | (Leave blank for built-in account) |
| Password Complexity | Complex (uppercase, lowercase, numbers, symbols) |
| Password Length | 14+ |
| Post-authentication Action | Reset immediately |
Assign the policy to your device groups.
🔍 Step 3: View and Manage Passwords
After the policy applies, passwords are stored in Azure AD:
Go to:
Entra ID → Devices → Select a device → Local administrator password
You’ll be able to:
- View the current password
- See when it expires
- Trigger a reset if needed
🧠 Pro Tips
- RBAC: Restrict access to LAPS password retrieval. Not everyone needs to see them.
- Audit Logs: Use Microsoft Purview or sign-in logs to track who accesses passwords.
- Monitor Compliance: If LAPS isn’t working on a device, flag it. You don’t want unknowns here.
- Combine with Conditional Access: Block risky sign-ins and make sure only compliant devices are allowed access.
✅ Summary
If you rely on the built-in Administrator account—even as a last resort—it needs to be secured and rotated. LAPS + Intune gives you:
- Centralized control
- Per-device randomization
- Automatic rotation
- Secure cloud-based retrieval
Make sure the account is enabled first, and you’re good to go.