Beyond the Corporate Network: Secure Local Admin Passwords with Windows LAPS

Imagine having a master key that unlocks every door in your organization. Now, imagine that key falling into the wrong hands. This is the risk you take when using the same local administrator password across all your endpoints. A single compromised password can lead to devastating breaches and significant financial losses. Windows LAPS (Local Administrator Password Solution) steps in to prevent this scenario by offering a modern, automated solution to securely manage these critical passwords.

Windows LAPS leverages Entra ID (formerly Azure AD) to provide robust password management that extends beyond the corporate network. In an era where remote work is becoming the norm, this capability is invaluable.

By the end of this post, you'll understand the benefits of Windows LAPS, how it works, and why it's essential for enhancing your organization's security posture. If you need assistance with implementation, our IT consulting company is here to help.

What is Windows LAPS?

Windows LAPS (Local Administrator Password Solution) is a robust solution designed by Microsoft to automate and securely manage local administrator passwords. This system ensures that each device within your organization has a unique, periodically updated password for its local administrator account, significantly enhancing security and reducing the risk associated with using the same password across multiple devices.

Key highlights of Windows LAPS:

• Automated Password Management: Windows LAPS automatically generates and rotates local administrator passwords on a schedule, reducing the risk of password fatigue and human error.
• Secure Password Storage: Passwords are securely stored in Entra ID (formerly Azure AD), ensuring they are protected by Microsoft's robust cloud security measures.
• Scalability: Windows LAPS scales effortlessly with your organization, managing passwords for a large number of devices without additional infrastructure.
• Remote Management: Unlike traditional LAPS, Windows LAPS can manage passwords for devices that are not physically connected to the corporate network. This is especially valuable for remote work environments and devices managed through Microsoft Intune (Endpoint Management).

To utilize Windows LAPS, it is essential that the endpoint be joined to Entra ID, either through hybrid or direct join. This ensures that the device can securely communicate with Entra ID for password management.

It's important to note that Microsoft has deprecated support for traditional LAPS in Windows 11 version 23H2, which was released on October 31, 2023. If your organization is currently using traditional LAPS, it is crucial to transition to Windows LAPS to ensure continued support and enhanced security features​ (Microsoft Support)​​ (Windows Central)​.

Benefits of Using Windows LAPS

Implementing Windows LAPS in your organization offers a multitude of benefits that enhance security, streamline administration, and ensure compliance with industry standards. Here are some key advantages:

• Enhanced Security
  • Unique Passwords for Each Device: Windows LAPS generates unique, complex passwords for each local administrator account, significantly reducing the risk of lateral movement by attackers within your network.
  • Regular Password Rotation:  Automated password rotation ensures that passwords are regularly updated, minimizing the risk of long-term password exposure.
  • Secure Storage: Passwords are stored securely in Entra ID, leveraging Microsoft’s robust cloud security infrastructure to protect sensitive information.
• Simplified Administration
  
  • Centralized Management: Windows LAPS allows for centralized management of local admin passwords through Entra ID, reducing the complexity of managing multiple passwords manually.
  • Automated Processes: The automation of password generation and rotation reduces the administrative burden on IT staff, allowing them to focus on more strategic tasks.
  • Retrieval of passwords: Retrieving a LAPS password is much simpler and easier than ever before; no applications need to be installed on support staff's PCs.
• Compliance with Industry Standards
  
  • Reduced Risk of Breaches: By mitigating the risk of password-related breaches, Windows LAPS can save organizations significant costs associated with data breaches, including fines, remediation costs, and reputational damage.
  • Lower Administrative Overhead: The automation and centralization of password management reduce the time and resources needed for manual password management, leading to cost savings.

Implementation

Implementing Windows LAPS in Intune (Endpoint Management) is very straightforward. The key is to have an existing local admin account that will be utilized for LAPS, as LAPS cannot create accounts. In this guide, we are going to use the default "Administrator" account. Intune LAPS policies will override any existing on-premises LAPS policy.

Prerequisites

• Entra ID Requirements: Ensure that your organization is using Entra ID (formerly Azure AD) and that devices are either hybrid or directly joined to Entra ID.
• Permissions: You need administrative access to configure policies in Intune, for example, Intune Administrator or Global Admin. We will review creating custom permissions for LAPS in a future article.
• Licensing: Windows LAPS requires an Intune Plan 1 license, and Entra ID Free or Entra ID Plan 1.
• Supported Devices: Ensure that the devices you plan to manage are compatible with Windows LAPS.
  • Windows 10, version 20H2 (19042.2846 or later)
  • Windows 11, version 21H2 (22000.1817 or later)

Create a Windows LAPS policy

1. Log into Intune (Endpoint Management) and navigate to Endpoint Security -> Account Protection and create a policy.
   
   
2. Name the policy, you may choose to have multiple policies applied to different sets of devices. A device can only be assigned one policy. A policy conflict will stop LAPS from working properly.
3. Configure settings:
   • Backup Directory - Select "Backup the password to Azure AD Only".
   • Password Age Days - We recommend at most 30 days.
   • Administrator Account Name - If "not configured" LAPS will use the built-in Administrator Account. You can enter the account name you want LAPS to control here.
   • Password Complexity - We recommend "Large letters + small letters + numbers + special characters (improved readability)
   • Password Length - Configure for a minimum of 15 characters, we recommend 32 characters.
   • Post Authentication Actions - Here we have a bunch of awesome options. Select the one that best meets your needs. We recommend the first option.
     
     • Reset password: upon expiry of the grace period, the managed account password will be reset.
     • Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
     • Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.
   • Post Authentication Reset Delay - Here you can configure how long after the password is used will it be reset. We recommend settings this as low as reasonably possible. We recommend no more than 8 hours.

4. Configure Assignments, here we recommend dynamic device groups, we do not recommend that user groups be used, as this will cause the LAPS policy to follow the user and could cause policy conflicts if you have multiple policies deployed.
5. Review and create the policy.

Patience is a virtue

It will take a while for the policy to be applied to assigned devices; some devices may need to be restarted to apply settings. Once settings are applied, you will be able to find the password for devices in the Intune device list.

You can also manually rotate the password from the device overview screen if needed. Remember that we configured automatic rotation once the credential is used.

Best Practices for Using Windows LAPS

To maximize the benefits of Windows LAPS and ensure the security and efficiency of your IT environment, follow these key best practices:

Minimize the Use of Domain Admin Accounts

• Local Admin Usage: Prioritize using the LAPS-managed local administrator account for device support. This reduces the risk associated with using high-value domain admin or device admin accounts.
• Restrict Domain Admins: Limit domain admin account usage to essential tasks only and ensure strict access controls are in place.

Secure Access to LAPS Passwords

• Role-Based Access Control: Use Entra ID's role-based access control to restrict access to LAPS passwords, allowing only authorized personnel to retrieve them.
• Multi-Factor Authentication (MFA): Implement MFA for accounts with access to LAPS passwords to add an extra layer of security.

Regular Auditing and Monitoring

• Audit Logs: Regularly review audit logs to monitor access to LAPS passwords and ensure compliance with security policies.
• Reporting: Generate regular reports on LAPS activity to identify any anomalies or potential security issues.

Training and Awareness

• Staff Training: Train IT staff on the proper use of Windows LAPS and emphasize the importance of using local admin accounts over domain admin accounts.
• User Awareness: Educate users about the role of LAPS in securing their devices and the importance of adhering to security policies.