Windows LAPS Introduces Microsoft Entra ID and Intune Support to Boost Protection

Key Takeaways:

• Microsoft has added support for Microsoft Entra ID and Intune into Windows LAPS, enhancing the capability of organizations to configure and bolster local administrator password policies for Windows devices through Entra LAPS.
• Windows LAPS facilitates automated password backups to Active Directory and Azure Active Directory, and boosts security against pass-the-hash and lateral-traversal attacks through password rotation, an important feature of Entra LAPS.
• Microsoft plans to add more features like automatic account creation and just-in-time controls for password recovery.

Microsoft has introduced support for Microsoft Entra ID and Microsoft Intune in its Windows LAPS solution. This update enables organizations to easily configure local administrator password policies in Entra LAPS to protect Windows devices against cyberattacks.

Microsoft started rolling out Windows Local Administrator Password Solution (Windows LAPS) in April 2023. The solution replaces the legacy LAPS implementation (Microsoft LAPS) that was released back in 2016. It allows organizations to manage and protect their local administrator account passwords on Windows client devices using Entra LAPS. The service automatically backups the passwords to Active Directory and Microsoft Entra ID (formerly called Azure Active Directory).

Windows LAPS also rotates the passwords to thwart pass-the-hash and lateral-transversal attacks. The feature is available for Microsoft Entra ID-joined and hybrid-joined devices. Windows LAPS offers access control list and password encryption options, which are supported through Microsoft Entra ID. Microsoft has recently added support for audit logs and Entra ID role-based access control policies.

Microsoft suggests that administrators should activate the Windows LAPS feature within their organization. IT professionals can manage Windows LAPS using Microsoft Intune or manually deploy the policy through Registry modification or Local Computer Group Policy. Furthermore, policies can be deployed via the Windows LAPS Group Policy Object (GPO) for Microsoft Entra hybrid joined devices.

New features coming to Windows LAPS

With Windows LAPS, Microsoft Intune customers can configure settings (such as password age, complexity, and length) for local administrator accounts on a Windows machine. Moreover, it’s possible to specify the rotation schedule and storage location of passwords. Microsoft Intune also offers reporting capabilities that provide details about manual and scheduled password rotation activities.

Microsoft plans to add automatic local administrator account creation capabilities for devices configured for Windows LAPS. The company will also introduce just-in-time controls for self-service local administrator password recovery by device owners. Entra ID notifications will be triggered when a local administrator password is used for authentication within Entra LAPS. However, there is no word on when these features will be available for commercial customers.

FAQs

What are the system requirements for implementing Entra LAPS in an organization?

Entra LAPS requires Windows 10/11 devices (version 22H2 or later), a Microsoft Entra ID Premium P1/P2 license, and devices must be either Entra ID-joined or hybrid-joined. Organizations also need administrative rights to configure Microsoft Intune policies for deployment.

How does Entra LAPS differ from third-party password management solutions?

Entra LAPS offers native integration with Microsoft’s ecosystem, providing seamless connectivity with Entra ID and Intune. Unlike third-party solutions, Entra LAPS requires no additional infrastructure and offers built-in encryption and backup capabilities specifically designed for Microsoft environments.

Can Entra LAPS be used in environments with multiple domains?

Yes, Entra LAPS supports multi-domain environments when properly configured through Microsoft Entra ID. Organizations need to ensure proper trust relationships are established between domains and that appropriate permissions are set for password management across the directory structure.

What backup mechanisms are available for Entra LAPS passwords?

Entra LAPS provides multiple backup options including automatic synchronization to Microsoft Entra ID, on-premises Active Directory backup, and optional secondary backup locations. Organizations can configure backup frequency and retention policies through Intune management controls.

Does Entra LAPS support emergency access scenarios?

Yes, Entra LAPS includes emergency access protocols that allow authorized administrators to retrieve passwords through secured channels. The system maintains detailed audit logs of all emergency access requests and can be configured to require multi-factor authentication for sensitive password retrievals.