Windows LAPS: Advanced protection of local administrator passwords through Microsoft Intune

Like its predecessor Microsoft LAPS, Windows LAPS is a password management solution that allows you to control local administrator account passwords for Windows devices. Passwords are generated dynamically and also constantly updated based on the policies adopted. Unlike its predecessor, the new version of LAPS allows you to save passwords, not only within the Active Directory infrastructure, but also in Azure Active Directory.
Another difference is that this solution is fully integrated into the operating system; therefore, it is no longer necessary to proceed with the distribution of the appropriate client.

In this article, we will dive deeper into hardening local administrator passwords by leveraging the Microsoft Intune management tool.

Overview and requirements

Windows LAPS allows to improve the Security Posture of the company by reducing the attack surface; specifically, the solution mitigates the risk of lateral movement when all systems use the same password for the local administrator account.
In fact, local administrator passwords are a prime target for attackers trying to gain access to Windows systems. Once attackers have access to local administrator credentials, they can easily compromise the system, gain access to sensitive resources, and move between the various Windows systems in the enterprise.

As previously anticipated in part, LAPS works by generating a random and unique password for each local administrator account, assigning it and managing it securely using Active Directory or Azure Active Directory; the password is then encrypted and can only be recovered by authorized users.
Additionally, LAPS provides automatic password rotation, allowing local administrator account passwords to be changed regularly while reducing the risk of long-lasting attacks.

In summary, the advantages of using this solution are many:

  • Enhance cybersecurity: Windows LAPS solution helps protect local administrative accounts from targeted cyberattacks; this helps prevent breaches by minimizing the risk of data loss or reputational damage.
  • Cost reduction: The use of Windows LAPS guarantees the full management of local administrator passwords without additional costs; this solution is fully integrated into the Windows 10 and Windows 11 operating systems.
  • Centralized management: LAPS allows you to centrally manage passwords using the Microsoft Intune solution to drive configurations and Active Directory/Azure Active Directory as password repository.

In order to proceed with the activation of Windows LAPS, the following prerequisites must be met:

  • Windows 11 version 21H2 (or later) with April CU 2023
  • Windows 10 version 21H2 (or later) with April CU 2023
  • Windows Server 2022 with April CU 2023
  • Windows Server 2019 with April CU 2023
  • Microsoft Intune license for configuration policy management through the management tool
  • If you want to back up to Azure Active Directory, the devices must be in Hybrid join or directly joined to Azure AD;
    • If the device is joined to the Active Directory infrastructure only, it will be possible to save the password only within your own on-premise AD infrastructure.

In the next paragraphs, we will go into the steps necessary to use this solution in the Azure Active Directory join scenario with Microsoft Intune as a management tool.

Activation

The first step in being able to start using the solution is to enable password management from the Microsoft Entra console; the procedure consists in the execution of a few simple steps:

  • Log in to the Microsoft Entra admin center console with administrative credentials;
  • Select Devices – All Devices – Device settings;
  • Move the slider to Yes for the Enable Azure AD Local Administrator Password Solution (LAPS) option;
Figure 1 – Enable Azure AD Local Administrator Password Solution (LAPS)
  • Confirm the change using the Save button;

At this point, once this procedure has been completed, it will be possible to create the configuration profile necessary to instruct the Windows 10/Windows 11 operating system on how to manage your local administrator password.

Policy Creation

With the release of Service Release 2304 , it is possible to create the appropriate configuration policies of the Windows LAPS functionality directly from the graphical interface (previously it was necessary to prepare Custom Profiles); these configuration policies are available in the Endpoint Security section.

Below are the steps required to create a new Endpoint Security policy:

  • Log in to the Microsoft Intune admin center console with administrative credentials;
  • Select Endpoint Security – Account Protection;
  • Press the Create Policy button;
  • From the drop-down menu Platform select the item Windows 10 and later;
  • From the Profile drop-down menu, select the Local admin password solution (Windows LAPS) item;
Figure 2 – Profile selection
  • Press the Create button;
  • Assign a name, a possible description of the configuration profile and press the Next button;
  • From the Backup Directory drop-down menu, select the Backup the password to Azure AD only option;
Figure 3 – Backup password to Azure AD only
  • Set the remaining settings based on your needs:
    • Password age days: this option allows you to indicate the maximum time (in days) for the password to last before being regenerated.
    • Administrator account name: this option allows you to define the name of the local account to be managed by Windows LAPS; if nothing is specified, the local administrator account is managed by default.
    • Password Complexity: through this option it is possible to define the complexity of the password that is generated by Windows LAPS; the following levels of complexity can be defined:
      • Uppercase letters
      • Uppercase + lowercase letters
      • Uppercase letters + lowercase letters + numbers
      • Uppercase letters + lowercase letters + numbers + special characters
    • Password Length: it is possible to set the length of the generated password starting from a minimum of 8 characters up to a maximum of 64 characters; by default, the generated password will be 14 characters long.
    • Post Authentication Actions: this option allows you to specify the actions to be taken when the period configured in the Post Authentication Reset Delay setting expires; the available actions are:
      • Reset password: The password of the managed account is reset.
      • Reset password and sign out: In addition to resetting the password, every interactive session of the managed account is terminated.
      • Reset password and reboot: The managed account password is reset and the managed device is rebooted.
Figure 4 – Post Authentication Actions
    • Post Authentication Actions: this option allows you to specify the actions to be taken when the period configured in the Post Authentication Reset Delay setting expires; the available actions are:
  • Confirm the changes using the Next button;
  • Press the Next button again;
  • Click on Add groups and select an Azure AD group containing the devices involved or select Add all devices;
  • Press the Create button to complete the policy creation process;

Once the policy is successfully applied on Windows 10 and Windows 11 systems, the Windows LAPS solution will initiate the local administrator password management process.

Password retrieving

Taking advantage of the full integration between Microsoft 365 services, recovering the password generated by Windows LAPS is very simple; in fact, two options are available to recover the local administrator password: through the Microsoft Intune console or from the Microsoft Entra portal.

In the first case, you need:

  • Log in to the Microsoft Intune admin center console with administrative credentials;
  • Select Devices – All devices;
  • Press on the name of the device involved;
  • Access the Local admin password section;
  • If the device has correctly applied the defined policies, it will be possible to identify an entry through which to view the password;
Figure 5 – Show local administrator password
  • Pressing on the Show local administrator password item, a new section will be displayed where it will be possible to view or copy the generated password and check any information related to expiry;
Figure 6 – Local administrator password details

The second option available for password recovery is through the Microsoft Entra portal; also in this case, the procedure consists in carrying out a few simple steps:

  • Log in to the Microsoft Entra admin center console with administrative credentials;
  • Select Devices – All Devices – Local administrator password recovery (Preview);
  • Search the name of the device and click on Show local administrator password option;
Figure 6 – Local administrator password recovery (Preview)

References

Here are some useful references to the official documentation:

Conclusions

In this article, the various steps necessary to activate the Windows LAPS solution have been reported by taking advantage of the integration with the Microsoft Intune management tool.
In summary, the use of Local Administrator Password Solution (LAPS) offers numerous benefits from a business perspective, including greater security by reducing attacks based on lateral movement, centralized management of passwords and savings in time and resources. LAPS is therefore a recommended solution for companies that want to protect their data and improve their security posture.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: