Windows LAPS with Intune: One admin password per device, finally.

Hi, still running one local admin password across all your Windows devices?

Oof.

That’s like using the same toothbrush for the whole office — unhygienic and a great way to spread… malware.

Microsoft saw this mess and said: “Let’s fix it properly.”
Enter: Windows LAPS — now fully built into Windows and managed through Intune like a pro.

🧠 What is LAPS, really?

LAPS = Local Administrator Password Solution.

It auto-generates a random, unique password for the local admin account on every machine. Then stores that password securely in Microsoft Entra ID or Active Directory.

No more sticky notes under keyboards. No more “Admin123!” on every laptop.

🛠 How does it actually work?

  • Every device gets its own local admin password.

  • Passwords rotate automatically (e.g. every 30 days).

  • Stored securely in Entra ID (cloud) or on-prem AD.

  • Only admins with permission can view or rotate passwords.

  • No agent, no legacy MSI — it’s built-in to modern Windows.

And Intune is the control panel for it all.

🚀 Why it’s a big deal

Before: You needed custom scripts, legacy LAPS clients, GPOs, maybe a lucky goat sacrifice.

Now: It’s a few clicks in Intune, and done. Cloud-native. Secure. Auditable.

📋 What do you need?

  • Windows 10/11 (April 2023 update or later).

  • Devices must be Entra ID joined or hybrid joined.

  • A valid Intune license (Plan 1+).

  • Enable LAPS in Entra ID → Devices → Device Settings.

  • Permissions: You’ll need Intune Admin or Cloud Device Admin to access passwords.

🧩 How to set it up (the no-BS version)

  1. Go to Microsoft Entra ID → Devices → Enable LAPS.

  2. In Intune, go to:
    Endpoint Security → Account Protection → Create Policy → Local admin password solution.

  3. Choose:

    • Target account (built-in admin or a custom one).

    • Password rotation interval.

    • Backup directory (Entra or AD).

  4. Assign the policy to a device group (don’t use user groups — it breaks stuff).

  5. Done. Monitor everything via reports.

🔍 Where to see the magic

  • Intune → Endpoint Security → Reports → LAPS.

  • Entra Portal → Devices → View Admin Password (if you have permissions).

  • Event Viewer → Applications and Services Logs → Microsoft → Windows → LAPS.

You’ll see who viewed which password and when.

⚠️ What not to screw up

  • ❌ Don’t apply multiple LAPS policies to one device. It’ll clash.

  • ❌ Don’t leave the default “Administrator” account active. Create a separate local admin if you can.

  • ❌ Don’t try to store passwords in both Entra ID and AD. Pick one.

  • ❌ Don’t forget to give access permissions to password viewers. No access = no rescue.

🧯 Bonus points

  • You can manually rotate a password via Intune.

  • Passwords are logged, encrypted, and auditable.

  • You can query them via Graph API, if you’re feeling spicy.

🧠 Final thoughts

LAPS isn’t just another checkbox. It’s essential ops hygiene.

With Intune, it’s finally painless — no legacy junk, no obscure reg edits. Just clean, secure, automated credential rotation for every device in your fleet.

Seriously — if you’re still copy-pasting passwords from Excel sheets…
you’re playing roulette with ransomware.