Configure Windows LAPS in Intune - Patrick Lewis Notes

## Create a LAPS policy > [!INFO] Important > Ensure that you have enabled LAPS in Microsoft Entra, as covered in the [Enabling Windows LAPS with Microsoft Entra ID](https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-manage-local-admin-passwords#enabling-windows-laps-with-microsoft-entra-id) documentation. To create or manage LAPS policy, your account must have applicable rights from the **Security baseline** category. By default, these permissions are included in the built-in role _Endpoint Security Manager_. To use custom roles, ensure the custom role includes the rights from the _Security baselines_ category. See [Role based access controls for LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview#role-based-access-controls-for-laps). Before you create a policy, you can review details about the available settings in the [Windows LAPS CSP](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings#windows-laps-csp) documentation. 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Account protection**, and then select **Create Policy**. ![[Pasted image 20240822190640.png]] - Set the _Platform_ to **Windows 10 and later**, _Profile_ to **Local admin password solution (Windows LAPS)**, and then select **Create**. 2. On **Basics**, enter the following properties: - **Name**: Enter a descriptive name for the profile. Name profiles so you can easily identify them later. - **Description**: Enter a description for the profile. This setting is optional but recommended. 3. On **Configuration settings**, Configure a choice for **Backup Directory** to define the type of Directory to use to back up the local admin account. You can also choose not to back up an account and password. The type of Directory also determines which additional settings are available in this policy. ![[Pasted image 20240822190753.png]] > [!INFO] Important > When configuring a policy, keep in mind that the backup directory type in the policy must be supported by the join type of the device the policy is assigned to. For example, if you set the directory to Active Directory and the device isn’t domain joined (but a member of Microsoft Entra), the device can apply the policy settings from Intune without error, but LAPS on the device will not be able to successfully use that configuration to back up the account. - After configuring _Backup Directory_, review and configure the available settings to meet your organization’s requirements. 4. On the **Scope tags** page, select any desired scope tags to apply, then select **Next**. 5. For **Assignments**, select the groups to receive this policy. We recommend assigning LAPS policy to device groups. Policies assigned to user groups follow a user from device to device. When the user of a device changes, a new policy might apply to the device and introduce inconsistent behavior, including which account the device backs up or when the managed accounts password is next rotated. > [!NOTE] Note > As with all Intune policies, when a new policy applies to a device, Intune attempts to notify that device to check in and process the policy. > > Until a device successfully checks in with Intune and successfully processes its LAPS policy, data about its managed local admin account won’t be available to view or manage from within the admin center. - For more information on assigning profiles, see [Assign user and device profiles](https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign). 6. In **Review + create**, review your settings and then select **Create**. When you select _Create_, your changes are saved, and the profile is assigned. The policy is also shown in the policy list. ## Example Configuration ### Local admin password solution (Windows LAPS) | Name | Setting | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Backup Directory | Backup the password to Azure AD only | | Password Age Days | 30 | | Administrator Account Name | example-localadmin | | Password Complexity | Large letters + small letters + numbers + special characters | | Password Length | 14 | | Post Authentication Actions | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. | | Post Authentication Reset Delay | 24 | ## Sources [Create Intune policies to configure and manage Windows LAPS | Microsoft Learn](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-policy)