The Twelve Days of Blog-mas: No.3 – Windows Local Admin Password Solution (LAPS)

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

Buenos días and welcome to número tres in the holiday '23 series. 

 

This one is sure to please the crowd – it’s the NEW AND IMPRVOED easy to setup/deploy/use solution for when IT Ops/Support needs a local admin ID and password to perform some management task(s) on a Windows endpoint. 

 

As many people know, we have long-had a popular solution for this - but now it's been updated to work on-prem or in the cloud and has a robust set of features:

  • Secure storage of the password value in on-prem AD or Entra ID
  • Manage the built in Administrator account or a custom local account
  • PowerShell support
  • Auditing in the cloud and on the endpoint (it even has its very own event log)
  • Automatic password rotation after use
  • .... and more

From the Entra ID portal > Devices > Device Settings blade, enable the capability:

MichaelHildebrand_0-1701034217502.png

 

From the Intune portal > Endpoint Security > Account Protection node, create a new Policy for the Windows endpoints, based on the Windows LAPS template there:

MichaelHildebrand_1-1701034217511.png

 

Name the Policy, add a description, select/define your settings; target the desired devices and save the Policy:

MichaelHildebrand_2-1701034217520.png

 

Once the targeted devices apply the policy, you’ll have the ability to obtain the local account’s “managed” password from the device’s page either in the Entra portal or the Intune portal:

  • NOTE: the dialog box lists the Account name and Security ID (SID) – this one is using the built-in local Administrator account (note, the well-known ‘500’ SID)

MichaelHildebrand_3-1701034217527.png

 

Audit – Recovery/retrieval of the local account password (from the Entra ID Audit logs, not Intune Audit logs - FYI):

MichaelHildebrand_4-1701034217532.png

 

Audit – Update the local account password (from the Entra ID Audit logs, not Intune Audit logs - FYI):

MichaelHildebrand_5-1701034217539.png

 

MichaelHildebrand_6-1701034217543.png

 

Audit – Local Event Log from the managed endpoint:

MichaelHildebrand_7-1701034217557.png

 

IMPORTANT – this process is for password management only – THIS WILL NOT CREATE NOR ENABLE/DISABLE A LOCAL ID.  And remember, the built-in Administrator account is usually disabled (by OS defaults).  You’ve been warned.

MichaelHildebrand_8-1701034217565.png

 

For more information:

 

Adiós until mañana

 

Hilde

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.