Set up Windows LAPS with Intune: A Step-by-Step Guide

 Learn how to set up Windows Local Administrator Password Solution (LAPS) with Intune that helps manage and back up the password of a local administrator account on your Microsoft Entra ID joined devices.


In this article, we will show you how to implement LAPS with Intune and explore the benefits it can bring to your organization. We will cover step-by-step instructions for setting up LAPS with Intune and managing local administrator passwords across your Windows devices.


If you are looking to enhance the security of your Windows devices, implementing LAPS (Local Administrator Password Solution) with Intune may be the solution you need. LAPS is a free Microsoft tool that helps organizations manage local administrator passwords on Windows devices, helping to prevent unauthorized access.

https://www.benjicomehomeweebees.org/mybb/showthread.php?tid=336557

http://junlinro520.gain.tw/viewthread.php?tid=972886

http://junlinro520.gain.tw/viewthread.php?tid=964040

http://junlinro520.gain.tw/viewthread.php?tid=1088843

https://bonuscloud.club/viewtopic.php?t=51329

Intune, on the other hand, is a cloud-based service that simplifies the management of devices and applications in an organization. By combining LAPS with Intune, you can effectively strengthen your overall Windows security strategy.


What is LAPS (Local Administrator Password Solution)?

LAPS, which stands for Local Administrator Password Solution, is a free tool that Microsoft offers to assist organizations in managing the local administrator passwords on their Windows devices. It addresses the common security vulnerability of having the same local administrator password across multiple devices, making it easier for attackers to gain unauthorized access.


LAPS works by automatically generating unique passwords for each device and storing them securely in Active Directory (cloud and on-premises). These passwords are then periodically changed, ensuring that even if one device is compromised, the impact is limited. With LAPS, organizations can have greater control over their Windows security by enforcing strong and unique passwords for their devices’ local administrators.

https://bonuscloud.club/viewtopic.php?t=48251

https://www.anscarsales.com.au/forum/general-discussions/pointlayout2018crackxforce64-better

http://xindongro.weclub.info/viewthread.php?tid=514150&extra=

http://xindongro.weclub.info/viewthread.php?tid=545110&extra=

http://xindongro.weclub.info/viewthread.php?tid=229111&extra=

https://www.2742bbs.com/forum.php?mod=viewthread&tid=321

Implementing Windows LAPS with Intune allows for centralized management of local administrator passwords across all devices, making it easier to maintain a secure environment and reduce the risk of unauthorized access.


Benefits of Implementing LAPS with Intune

Integrating LAPS with Intune brings several benefits to organizations looking to enhance their Windows security strategy. Here are some key advantages:


1. Improved Security: By implementing LAPS, organizations can ensure that each device has a unique, complex local administrator password. This reduces the risk of attackers gaining unauthorized access and helps maintain a more secure environment.


2. Centralized Management: Microsoft Intune provides a centralized platform for managing devices and applications in an organization. By integrating LAPS with Intune, administrators can easily manage local administrator passwords across all Windows devices, simplifying the overall management process.


3. Increased Efficiency: With LAPS and Intune working together, administrators can automate the process of changing local administrator passwords. This saves time and resources that would otherwise be spent manually changing passwords on each device.


4. Compliance and Auditing: LAPS provides a detailed audit trail of password changes, ensuring compliance with security policies and regulations. Integration with Intune allows for easy monitoring and reporting on local administrator password changes, helping organizations meet their compliance requirements.


5. No LAPS Client Required: If you are going to configure LAPS with Intune, there is no need to deploy the LAPS agent as it is included with the latest version of Windows OS.

https://www.2742bbs.com/forum.php?mod=viewthread&tid=336

https://www.2742bbs.com/forum.php?mod=viewthread&tid=1175

https://www.nationserver.us/showthread.php?tid=2067&pid=4943#pid4943

https://lumigo.fr/lumiweb-forum-webmarketing/Thread-caslithiumbatterychina-com?pid=1873#pid1873

http://www.tongxinyuan.wang/forum.php?mod=viewthread&tid=569&extra=page%3D1

http://www.tongxinyuan.wang/forum.php?mod=viewthread&tid=742&extra=page%3D1

Implementing LAPS with Intune can have a significant impact on the security and efficiency of your Windows devices. Let’s dive into the details of how to set it up.


Prerequisites

If you are setting up the LAPS for your Intune tenant for the first time, you should be aware that it is a one-time process with certain requirements. The following are the requirements for Intune to support Windows LAPS in your tenant:


1. Licensing requirements

Intune subscription: Microsoft Intune Plan 1, which is the basic Intune subscription. You can also use Windows LAPS with a free trial subscription for Intune.

Microsoft Entra ID: Microsoft Entra ID Free, which is the free version of Microsoft Entra ID that’s included when you subscribe to Intune. With Microsoft Entra ID Free, you can use all the features of LAPS.

2. Active Directory Support

Intune policy for Windows LAPS can configure a device to back up a local administrator account and password to one of the following directory types:

http://www.tongxinyuan.wang/forum.php?mod=viewthread&tid=716&extra=page%3D1

https://forum.webgod.ro/showthread.php?tid=479

https://www.mircalemi.net/showthread.php?tid=405

https://pimpforums.xyz/showthread.php?tid=2202

https://sportsreptile.site/thread-7235.html

Cloud: Cloud supports backup to your Microsoft Entra ID for the following scenarios: Microsoft Entra hybrid join and Microsoft Entra join.

On-Premises: On-premises supports backing up to Windows Server Active Directory (on-premises Active Directory).

3. Operating system updates

The following Windows OS platforms with the specified update or later installed are supported for implementing Windows LAPS.


Windows 11 22H2 – April 11 2023 Update

Windows 11 21H2 – April 11 2023 Update

Windows 10 20H2, 21H2 and 22H2 – April 11 2023 Update

Windows Server 2022 – April 11 2023 Update

Windows Server 2019 – April 11 2023 Update

High-level steps to set up Windows LAPS with Intune

The following high-level steps are involved when you set up Windows LAPS with Microsoft Intune:

https://equestrianbbs.com/thread-195.html

https://forums.cyclone-hosting.net/showthread.php?tid=1112

https://forum.dacksalt.se/showthread.php?tid=18965

https://ekvall.co/showthread.php?tid=50596

https://qualityprogamer.de/forum/showthread.php?tid=12036

Enable LAPS in Microsoft Entra

Enable the built-in Administrator Account

Create an Intune LAPS policy

Assign the LAPS policy to Windows devices

Explore various methods to retrieve local admin password

Enable LAPS in Microsoft Entra

Perform the following steps to enable the LAPS in Microsoft Entra:


Sign in to the Microsoft Entra admin center as a Cloud Device Administrator.

Browse to Identity > Devices > Overview > Device Settings.

Select Yes for the Enable Local Administrator Password Solution (LAPS) setting and select Save.


Enable the Local Administrator Account

On new Windows installations, the built-in administrator account is disabled. That is because the administrator account has complete control over the computer and can bypass all user access control (UAC) safeguards.

https://www.acomodesee.com/forum/discussoes-gerais/supermodels717theodora51pics

https://forums.cychosting.com/showthread.php?tid=591

https://www.gamer-avenue.net/viewtopic.php?t=282796

https://www.gamer-avenue.net/viewtopic.php?t=282611

https://www.gamer-avenue.net/viewtopic.php?t=284179

When you create an LAPS policy in Intune to manage the password of a local administrator account, the built-in administrator account must first be enabled. Otherwise, the LAPS policy has no effect on your devices. You can have the choice to enable the built-in administrator account using Intune or Group Policy.


Although you can manually enable the built-in administrator account on Windows devices, Intune can do it for you on multiple devices, which saves the time of your IT team. Here is a comprehensive guide on enabling the built-in administrator account with Intune policy.


Manage Windows LAPS with Intune

Microsoft Intune provides support to configure Windows LAPS on devices through the local admin password solution (Windows LAPS) profile, available through endpoint security policies for account protection.


Intune policies manage LAPS by using the Windows LAPS configuration service provider (CSP). Windows LAPS CSP configurations take precedence over, and overwrite, any existing configurations from other LAPS sources, like GPOs or the Legacy Microsoft LAPS tool.

https://www.bovinedecarne.ro/forum/viewtopic.php?t=4060

https://www.bovinedecarne.ro/forum/viewtopic.php?t=4041

https://www.bovinedecarne.ro/forum/viewtopic.php?t=4028

https://www.bovinedecarne.ro/forum/viewtopic.php?t=4148

You’ll need to sign in with an Intune administrator account to create and manage the LAPS policy.


Step 1: Create a LAPS Policy in Intune

Here is how you can create a Windows LAPS policy in Intune:


Sign in to the Microsoft Intune admin center and go to Endpoint security > Account protection, and then select Create Policy. Set the platform to Windows 10 and later, profile to Local admin password solution (Windows LAPS), and then select Create.


In the Basics tab, enter the following details:


Name: Enter a descriptive name for the profile that can be easily identified later. In the below example, we have set the profile name to “Windows LAPS Policy.”

Description: Enter a brief description of the profile. For example, you can specify the description as “A policy to back up the password of a local administrator account on your Microsoft Entra ID joined devices or Windows Server Active Directory-joined devices.”

Click Next.


Step 2: Configure LAPS Policy Settings in Intune

The Configuration Settings tab lets you configure some important settings for your LAPS policy. Although you can modify these policy settings later, it is important to understand what each one does.


1. Backup Directory: Use this setting to configure which directory the local admin account password is backed up to. You can also choose not to back up an account and password. The type of directory also determines which additional settings are available under this policy.

https://www.bovinedecarne.ro/forum/viewtopic.php?t=4117

https://www.bovinedecarne.ro/forum/viewtopic.php?t=3620

The backup directory has the following options to choose from:


Disabled (password will not be backed up)

Backup the password to Azure AD only

Backup the password to the Active directory only

Not Configured

In the below example, we have configured the backup directory to back up the password to Azure AD only.

Comments

Post a Comment

Popular posts from this blog

8 Ways to Fix Windows Update Error 0x80070643

 Windows update error 0x80070643 stops you from installing the latest Windows updates. Learn why this error occurs and how can you resolve it with multiple solutions. In this post, I will show you how to fix the Windows Update error 0x80070643 that occurs when you attempt to install the latest updates on Windows 11/10 devices. The error 0x80070643 can be resolved using different methods, which will be covered in this guide. I ran across issue 0x80070643 on my Windows 11 PC when I was downloading the most recent updates. The update was stuck installing for a few minutes and finally resulted in error 0x80070643. https://stock.talktaiwan.org/index.php?topic=478832.0 https://stock.talktaiwan.org/index.php?topic=407059.0 https://stock.talktaiwan.org/index.php?topic=427920.0 http://forum.analysisclub.ru/index.php?topic=128627.0 http://forum.analysisclub.ru/index.php?topic=142620.0 http://forum.infinite-soul.org/viewtopic.php?f=64&t=9756 https://rostovbike.ru/thread-1012.html https://...
Read more

8 Ways to Fix Windows 11 Upgrade Error 0x800F0830-0x20003

Multiple solutions to resolve 0x800F0830-0x20003 error that occurs during Windows 11 installation or upgrade in the SAFE_OS phase during INSTALL_UPDATES operation. If you are encountering the error 0x800f0830-0x20003 when upgrading to Windows 11, this tutorial covers the solutions to resolve this error. An error 0x800F0830-0x20003 prevents the upgrade process on Windows 10/11. This error occurs during the SAFE_OS phase during the INSTALL_UPDATES operation. If you don’t resolve this error, you’ll never be able to upgrade your Windows to the next version. Installing Windows 11 or upgrading it from Windows 10 is a smooth process, and you can use multiple methods to upgrade to Windows 11. However, you may encounter several errors during the upgrade, either due to hardware being incompatible, incompatible apps, or other reasons. We recommend referring to the Microsoft article on Windows 11 upgrade and installation error codes. https://forum.goddesszex.dev/showthread.php?tid=17913 https://fo...
Read more

Enable/Disable End Task in Taskbar on Windows 11

You can now close all your apps from the taskbar on Windows 11 without having to use Task Manager. Learn how to enable or disable End Task in the taskbar on Windows 11 using multiple methods. The End Task in Taskbar feature on Windows 11 allows you to quickly terminate apps directly from the taskbar without having to use Task Manager. In this article, I will demonstrate multiple methods to enable or disable the taskbar end task option on Windows 11. Starting with Windows 11 version 23H2, you can enable and use the End Task option to terminate unresponsive applications directly from the Taskbar. You don’t need to open the task manager on Windows 11 to end the processes any more. Unfortunately, not many users are aware of this extremely helpful feature because it is hidden under the “For Developers” section. There are situations when you have no choice but to use Task Manager to forcefully end your unresponsive apps. In some cases, I noticed that even my task manager was frozen and faile...
Read more