How To Deploy, Implement Laps, And Configure The Policy
Cyber Security is always important to all companies, especially when it comes to vulnerabilities like passwords and not any passwords, it is the Admin Password.
Admin Password has the highest privileges on any computer, which is why Microsoft created a new tech called LAPS ( Local Administrator Password Solution) has a few years of enhance very well, now LAPS has been built in Windows OS 10/11 since April 2023.
Let us try it.
First, let us download LAPS msi from Microsoft, then deploy it via Intune by:-
Go to Apps>All apps>Add> the select Line-of business app.
Then select app package file “which is the file you downloaded from Microsoft”
Make sure to deploy the app to “Device” and then select the right group that has the device(s). you want to target.
Before we move forward, let us enable LAPS from Entra Admin Center or Azure AD by selecting YES, it’s on NO by default.
Now let us create the policy and deploy,
Go to Endpoint Security > Account Protection> Create Policy then select LAPS for Windows 10 and later.
On the Basic, just give it a name, on Configuration, you need to focus on what your company wants, Does the company want to save the password on AAD and ADDC, or only AAD? Password Age? Does the company Computer Admin have the same name or a different one? if it’s different make sure to configure that one. Complexity, then now do want the password to change after the Admin uses it and how long the delay (hours).
Assign this policy to the security group that has your device(s).
After applying the policy, let us go to the Client and see it by checking the Registry Key and Event Viewer. As you see on RegKey the same setting I have already applied on the Windows 11 Client.
For the Admin or any IT personnel who has access to LAPS they can see the Admin Password to use , you can get it by going to Entra Admin Center, Device>Local Administrator Password Recovery> select the device you want and click on “Show local …”
Or Intune from by going to Devices>Windows> Windows Devices> the device you want> Local Admin Password> Show.
Note: If you do not see the password do not panic, I did not see the option till a couple of hours, just wait.
Finally, after using the password, you can wait for the “Post Authentication Rest Delay” hours, in my case, was 8 hours, or you can reset it right away by clicking on the device you want then from the ellipses on the right side expand it then select “Rotate Local Admin Password”.
Happy Weekend!