Enabling Microsoft “Cloud enabled LAPS” (Local Admin Password Solution)

Introduction to Microsoft LAPS

So, you may or may not already be familiar with Microsoft LAPS, if not you should be. 
LAPS – Local Admin Password Solution
, has for a long time been one of those great tools to have in the toolbox when it comes to securing your devices from lateral movement from a potential attacker. And Microsoft LAPS have been around for quite some time already.

This tool was orginally available for deployment to server/desktop devices connected to a traditional domain (on-prem) setup. It gave you a simple way to rotate the password for the builtin local administrator account on the device. This ensured that all devices had a unique password, and that this password was changed at set intervals. This is an important thing to do to limit the attack surface via your devices – far to many are using the same local admin password accross a multitude/all devices in an organization; this is a big no-no.

With LAPS, as an admin, you had a UI where you could look up the password for a device if you needed it. But times chaned, and devices are moving to the cloud. With this change, the need for a similar solution to LAPS came creeping, as the original LAPS is not cloud enabled.

Therefore we had to solve this with custom solutions in a cloud scenario, a few options exist for this, using Azure KeyVaults, custom powershell scripts and proactive remediations via Intune. While this solved the need, it is not ideal. 

This changed as of April 2023, and Microsoft have now introduced Microsoft LAPS (Preview) with support for configuration with Intune, and saving the passwords to Azure AD, giving us – once again – a native LAPS solution to handle the local admin account.

To give a quick overview of what LAPS is for those new to the solution, I am including the following info from Microsoft.

What is Windows LAPS?

Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices.

You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.

Benefits of using Windows LAPS

Use Windows LAPS to regularly rotate and manage local administrator account passwords and get these benefits:

  • Protection against pass-the-hash and lateral-traversal attacks
  • Improved security for remote help desk scenarios
  • Ability to sign in to and recover devices that are otherwise inaccessible
  • A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory
  • Support for the Azure role-based access control model for securing passwords that are stored in Azure Active Directory

Key Windows LAPS scenarios

You can use Windows LAPS for several primary scenarios:

  • Back up local administrator account passwords to Azure Active Directory (for Azure Active Directory-joined devices)
  • Back up local administrator account passwords to Windows Server Active Directory (for Windows Server Active Directory-joined clients and servers)
  • Back up DSRM account passwords to Windows Server Active Directory (for Windows Server Active Directory domain controllers)
  • Back up local administrator account passwords to Windows Server Active Directory by using legacy Microsoft LAPS

Understand device join state restrictions

Whether a device is joined to Azure Active Directory or Windows Server Active Directory determines how you can use Windows LAPS.

  • Devices that are joined only to Azure Active Directory can back up passwords only to Azure Active Directory.
  • Devices that are joined only to Windows Server Active Directory can back up passwords only to Windows Server Active Directory.
  • Devices that are hybrid-joined (joined to both Azure Active Directory and Windows Server Active Directory) can back up their passwords either to Azure Active Directory or to Windows Server Active Directory. You can’t back up passwords to both Azure Active Directory and Windows Server Active Directory.
  • Windows LAPS doesn’t support Azure Active Directory workplace-joined clients.

Setting up “Cloud” LAPS

So lets get started with enabling this feature, and doing what needs to be done to deploy this to your devices.

Activate the LAPS (preview) slider in Azure AD

Intune Configuration

For the Intune configuration, we need to:

  1. Create a Account Protection Configuration for LAPS
    • Optional – Include the name for your local admin account (Only if you are managing another named account, not the built-in administrator account)
  2. Create a configuration profile to enable the local admin account

Create a Account Protection Configuration for LAPS

The configuration for LAPS itself is done via the Account protection part of Endpoint Security in intune.

Login to Intune admin center
Go to Endpoint Security>Account Protection
Hit Create Policy

In the “Create a profile” dialog choose “Windows 10 and later”  for platform,
and select “Local admin password solution (Windows LAPS)” in the profile selection.
Click “Create”

On the next screen, give the profile a name and optionally a description and click next 

On the next screen, adjust the settings for LAPS based on your needs, and liking, end click Next.

I choose the following:
Backup Directory: Azure AD only (Devices must be joined to Azure AD, check MS Learn details for join state restrictions here)
Password Age:
7

Administrator Account Name: Not Configured (Specify the name of the local admin account to be managed – if using the Built-in administator account leave this “not configured”.
The default admin account will be managed even if renamed due to well known SID (500).
If you specify another account here, this account need to be created on the devices by other means.)

Password Complexity: Large + small letters + numbers + special
Password Length: 32
Post Authentication actions: Reset the password and logoff the managed account. (password will be reset and any running interactive sessions will be terminated)
Post Authentication Reset Delay: 24 (use this to configure how long to delay the post authentication action after a authentication with the admin account)

If you are using Scope tags select them on the next screen, if not just click Next

Assign the profile to your targeted device/user group, or all users/groups.
I prefer to roll this out to all devices.

Last step is just to review your configuration, and hit Create.
Next we need to create a policy to enable the local admin account on the devices.

Create a configuration profile to enable the local admin account

If your devices are Entra joined, the Built-in local admin account is disabled as default, so we need to enable it so that we are able to leverage the LAPS managed accounts when we need them.

Head over to the Devices>Configuration blade and create a new policy
Platform = Windows 10 and later
Profile Type = Settings Catalog

Click Create

Give the Configuration profile a name and click Next

Click Add settings, search for “enable administrator”, check the box for “Accounts Enable Administrator Account Status” and close the flyout page.

Adjust the setting to Enable, and click next.

On the Scopes page, configure scopes if you are using them, and click next

Add your assignments for who the profile should apply to, I prefer to assign all devices, but use what is appropriate in your environment, and click next.

On the review page, check that everyhing looks ok, and click create to finish creating the policy.
With this, your are done with the configuration, and the local admin account will start to  be managed by LAPS with a rolling password.

Retreiving the password of devices

Now that your machines have rolling admin password, you need to know how to get the current password for the device when you need it.
To get to the password, depending on what portal your are using, do the following:

Via the Intune admin portal

For the intune portal, go to “Devices->Windows->Windows devices” and select the device you need the password for, this will open the device details.

Once on the device view, click “Local admin password” in the left navigation bar, click “show local administrator password” and then click “Show” to reveal the current password for the local “Administrator” account of the device.

Note that the flyout also will give youu information on when the password was last changed, and when the next change will occur.

Via the Azure admin portal

If you are going via the Azure portal, go to Azure Acive Directory->Devices->All devices  and select the needed device in the list.
 

PS: you could also just search for the device name directly in the azure portal search bar
 

The rest is pretty much the same as when going to via the Intune admin portal.
 

On on the device view, click “Local admin password” in the left navigation bar, click “show local administrator password” and then click “Show” to reveal the current password for the local “Administrator” account of the device.

Note that the flyout also will give youu information on when the password was last changed, and when the next change will occur.

Limitations

You now have a solution to handle the local admin password for your devices, and all is good in the world – or at least better.
But “native” LAPS has some limitations or missing features that would be nice.
Lets make a quick list of some of these:

  • Only supported on Windows operating system.
  • Only handles the built-in (SID-500) or named admin account.
  • Not intended to handle end-users need for temporary admin permission elevation.
  • Primarily a tool for helpdesk/superusers with access to the admin portals to get current password.

Conclusion

Microsoft LAPS (Preview) is filling the gap for a much requested feature for a modern endpoint world. And securing the local admin accounts with unique passwords accross your devices is something you always should do. Even though pure azure ad joined, autopilot/intune enabled devices has the built in account disabled by default, you still should ensure that this account is not sharing password with other devices – just to be more safe from potential vulnerabilities.


Microsoft LAPS is filling the need for the good’ol Legacy LAPS in a cloud workspace. Giving you a tool that is easily available for helpdesk/admin for password retreival in the MS admin portals, and getting rid of the need for custom made solutions to fill this gap. In itself, this is a good to have, and must enable feature in my mind, regardless of your size and potenial other need for a more powerful tool in terms of handling more advanced scenarios. It takes a minimum of time and impact to configure, and has no cost pr now.

Should you need a more powerful tool to handle more advanced request like user elevation (normal users should not have local admin access), break-glass, MFA etc, I will be posting an article about another great tool that does all of this, and it can be used together with LAPS or standalone.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Dybbugt.no

Subscribe now to keep reading and get access to the full archive.

Continue reading

Explore Yubico