Managing Windows LAPS with Microsoft Intune

If you still have the same local administrator password on every Windows device in your fleet, one dumped hash is all it takes for an attacker to move sideways across the whole estate. Windows LAPS in Intune fixes that by rotating a unique local admin password per device and escrowing it somewhere you can actually get it back. This post walks through setting it up with Microsoft Intune end to end, including the tenant switch most people forget to flip first.

Key Takeaways

• Managing Windows LAPS with Intune gives every device a unique, automatically rotated local administrator password, which kills the shared-password lateral movement that pass-the-hash relies on.
• Windows LAPS is built into supported builds of Windows 10, Windows 11, and Windows Server — there is no separate MSI to deploy like the legacy Microsoft LAPS.
• You must enable Windows LAPS at the tenant level in Entra ID before any Intune account protection policy will actually back up a password.
• Passwords are escrowed to Entra ID and retrieved through the Intune or Entra admin center, gated by a specific directory permission rather than being readable by everyone.
• Legacy LAPS and Windows LAPS can coexist, but the policy precedence and "legacy emulation" behaviour will bite you if you do not plan the transition.

Environment

• Microsoft Intune (Microsoft Intune Plan 1, included in Microsoft 365 E3/E5 and EMS E3/E5).
• Entra ID tenant with devices that are Entra joined or Microsoft Entra hybrid joined.
• Windows 11 22H2 and Windows 10 22H2 clients with the April 11 2023 cumulative update or later, which is where Windows LAPS shipped natively.
• An account holding the Cloud Device Administrator or Intune Administrator role for password recovery.

The Problem

Local administrator accounts are convenient and dangerous in equal measure. Most builds and images ship with a built-in administrator, and in a lot of environments that account ends up with the same password everywhere because someone set it once in the gold image and never touched it again. That is fine right up until a single workstation is compromised: the attacker dumps the local SAM, recovers the administrator hash, and now that hash unlocks every other machine that shares it. This is textbook lateral movement, and it maps directly to MITRE ATT&CK T1550.002, Pass the Hash.

The original Microsoft LAPS solved this years ago for on-premises Active Directory by storing a unique, rotating password on each computer object. The catch was that it required a separate MSI, a schema extension, and a Group Policy client-side extension. None of that fits a cloud-managed, Entra-joined fleet. Windows LAPS — the newer one baked into the operating system — does, and Intune is how you drive it.

The Solution

Step 1 — Enable Windows LAPS at the Entra ID tenant level

This is the step that quietly breaks everything if you skip it. Before any device will hand its password to the directory, you have to turn the feature on for the tenant. In the Microsoft Entra admin center, go to Devices → Device settings (under "All devices"), find Enable Microsoft Entra Local Administrator Password Solution (LAPS), set it to Yes, and save.

If this toggle is off, your Intune policy will deploy, the client will apply it, and you will sit there watching for a password that never arrives. The device-side event log will even tell you it could not back up the password because the directory is not accepting it. Flip the toggle first.

Step 2 — Build the Windows LAPS account protection policy in Intune

In the Microsoft Intune admin center, go to Endpoint security → Account protection and create a new policy. Choose the Windows platform and the Local admin password solution (Windows LAPS) profile. The settings that matter most:

• Backup Directory — set this to Backup the password to Microsoft Entra ID only (labelled "Azure AD" in older tenants) for a cloud-managed fleet. The other options are on-premises AD or disabled.
• Password Age Days — how often the password rotates. Thirty days is a sensible default; do not stretch it to a year just because you can.
• Administrator Account Name — leave blank to manage the built-in administrator, or specify the name of a custom local admin you provision separately. Windows LAPS does not create the account for you unless you use the automatic account management settings.
• Password Length and Password Complexity — 20+ characters with large letters, small letters, numbers, and specials. There is no reason for a machine-managed password to be short.
• Post Authentication Actions and Grace Period — what the device does after the managed account is used. Resetting the password and logging off after the grace period is the option that limits how long a recovered password stays valid.

Assign the policy to a device group and save. The Microsoft documentation for every available setting lives in the Windows LAPS policy settings reference, which is worth a read because the CSP names map one-to-one onto the Intune fields.

Step 3 — Confirm the device picked up the policy

Policy delivery is not instant. You can force a sync from the client with the Company Portal or wait for the regular check-in. On the device, Windows LAPS writes to its own operational log under Applications and Services Logs → Microsoft → Windows → LAPS → Operational. The event you are looking for is the one confirming the password was successfully updated in the directory. If you would rather check from PowerShell, the built-in module reports the current state:

Get-LapsADPassword -Identity $env:COMPUTERNAME -AsPlainText
# On Entra-joined devices, inspect policy application instead:
Get-WinEvent -LogName "Microsoft-Windows-LAPS/Operational" -MaxEvents 20 |
    Select-Object TimeCreated, Id, LevelDisplayName, Message

Reviewing these LAPS events is the same muscle as any other log-driven check — if you want a refresher on slicing the event log from PowerShell, the PowerShell Quick Guide on working with event logs covers the patterns I used above.

Step 4 — Retrieve and rotate the password

When you need the password — a support call, a recovery, an offline device — open the device in the Intune admin center under Devices → Windows, select the device, and choose Local admin password. The Entra admin center exposes the same thing under the device's Local administrator password recovery blade. Every retrieval is recorded in the audit log, which is exactly what you want for a credential this sensitive.

Reading a password is gated behind the microsoft.directory/deviceLocalCredentials/password/read permission. Roles such as Cloud Device Administrator, Intune Administrator, and Global Administrator hold it; a regular helpdesk role does not unless you grant it. After a recovery, trigger a manual rotation rather than waiting for the age timer, so the password you just exposed stops working. From the same blade you can rotate on demand, or on the client run Reset-LapsPassword.

Step 5 — Plan around legacy LAPS if it is still present

If you previously deployed the old Microsoft LAPS, both can be installed at once. Windows LAPS detects the legacy product and, by default, goes into a "legacy LAPS emulation" mode on that device so the two do not fight over the same managed account. That is a transition aid, not a destination. The clean path is to point Windows LAPS at Entra ID through Intune, confirm passwords are landing in the directory, and then retire the legacy GPO and MSI. Running both indefinitely just gives you two systems that can disagree about the current password.

Frequently Asked Questions

Do I need a separate license for Windows LAPS in Intune?

No additional LAPS license exists. Windows LAPS is part of the operating system, and managing it through Intune needs an Intune Plan 1 entitlement, which is included in Microsoft 365 E3, E5, and the EMS bundles. The Entra ID directory backup is available on the standard Entra tiers.

Does Windows LAPS work on Entra-joined devices, or only hybrid joined?

Both. Backing up to Entra ID works for Entra-joined and Microsoft Entra hybrid-joined devices. If you choose Active Directory as the backup directory instead, the device obviously needs line of sight to a domain controller. For a cloud-managed fleet, Entra ID backup is the simpler choice.

What happens if I never enable the tenant-level LAPS setting?

The Intune policy still deploys and the client still tries to rotate, but the directory refuses to store the password, so recovery never works. The device's LAPS operational log records the failure. This is the single most common reason a correctly configured policy appears to do nothing.

Can helpdesk staff read LAPS passwords by default?

Only if their role includes the deviceLocalCredentials read permission. Standard helpdesk roles do not. You either assign a role that carries it or build a custom role, and every read is written to the audit log. Treat the ability to retrieve a local admin password as the privileged action it is.

How often should the password rotate?

Thirty days is a reasonable baseline, and the password should also rotate immediately after any recovery via the post-authentication actions. The point is that a password an attacker recovers from one device has a short, bounded lifetime and does not unlock anything else.

Conclusion

Windows LAPS through Intune is one of the higher-value, lower-effort hardening steps available for a cloud-managed Windows fleet. There is no agent to package, no schema to extend, and no shared secret left sitting in a gold image. Once the tenant setting is on and the account protection policy is assigned, every device quietly manages its own unique local administrator password and rotates it on a schedule.

The one genuinely sharp edge is that tenant-level toggle. It is easy to miss, it produces no obvious error in the Intune console, and it makes the whole thing look broken until you find it. Flip it first, confirm a test device escrows its password, and the rest is mostly leaving it alone — which, for a security control, is the best kind.

Related Posts

• Windows Security: Registry Forensics — Where Attackers Hide — context on the local account and SAM artifacts that LAPS is protecting.
• Windows Security: Best Practices for Securing Windows Services — companion hardening for the privileged accounts services run under.
• Essential Conditional Access Policies for Microsoft 365 — the identity-side controls that pair with device hardening.

Editorial note: posts on this blog are drafted with AI assistance and then reviewed, edited, and tested against a real environment before publishing. Commands, output, and screenshots come from systems I actually ran the work on.