This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.
Buenos días and welcome to número tres in the holiday '23 series.
This one is sure to please the crowd – it’s the NEW AND IMPRVOED easy to setup/deploy/use solution for when IT Ops/Support needs a local admin ID and password to perform some management task(s) on a Windows endpoint.
As many people know, we have long-had a popular solution for this - but now it's been updated to work on-prem or in the cloud and has a robust set of features:
- Secure storage of the password value in on-prem AD or Entra ID
- Manage the built in Administrator account or a custom local account
- PowerShell support
- Auditing in the cloud and on the endpoint (it even has its very own event log)
- Automatic password rotation after use
- .... and more
From the Entra ID portal > Devices > Device Settings blade, enable the capability:
From the Intune portal > Endpoint Security > Account Protection node, create a new Policy for the Windows endpoints, based on the Windows LAPS template there:
Name the Policy, add a description, select/define your settings; target the desired devices and save the Policy:
Once the targeted devices apply the policy, you’ll have the ability to obtain the local account’s “managed” password from the device’s page either in the Entra portal or the Intune portal:
- NOTE: the dialog box lists the Account name and Security ID (SID) – this one is using the built-in local Administrator account (note, the well-known ‘500’ SID)
Audit – Recovery/retrieval of the local account password (from the Entra ID Audit logs, not Intune Audit logs - FYI):
Audit – Update the local account password (from the Entra ID Audit logs, not Intune Audit logs - FYI):
Audit – Local Event Log from the managed endpoint:
IMPORTANT – this process is for password management only – THIS WILL NOT CREATE NOR ENABLE/DISABLE A LOCAL ID. And remember, the built-in Administrator account is usually disabled (by OS defaults). You’ve been warned.
For more information:
- Windows LAPS overview | Microsoft Learn
- Introducing Windows Local Administrator Password Solution with Microsoft Entra (Azure AD) - Microsoft Community Hub
- Keeping passwords secure with Windows LAPS
- Check out yesterday's WLAPS session at our Technical Take off for even more goodness (be sure to read the comments/Q&A, too) - Windows LAPS: enhancements and roadmap | Microsoft Technical Takeoff
Adiós until mañana
Hilde