Windows LAPS Introduces Microsoft Entra ID and Intune Support to Boost Protection

Key Takeaways:

• Microsoft has added support for Microsoft Entra ID and Intune into Windows LAPS, enhancing the capability of organizations to configure and bolster local administrator password policies for Windows devices.
• Windows LAPS facilitates automated password backups to Active Directory and Azure Active Directory, and boosts security against pass-the-hash and lateral-traversal attacks through password rotation.
• Microsoft plans to add more features like automatic account creation and just-in-time controls for password recovery.

Microsoft has introduced support for Microsoft Entra ID and Microsoft Intune in its Windows LAPS solution. This update enables organizations to easily configure local administrator password policies to protect Windows devices against cyberattacks.

Microsoft started rolling out Windows Local Administrator Password Solution (Windows LAPS) in April 2023. The solution replaces the legacy LAPS implementation (Microsoft LAPS) that was released back in 2016. It allows organizations to manage and protect their local administrator account passwords on Windows client devices. The service automatically backups the passwords to Active Directory and Microsoft Entra ID (formerly called Azure Active Directory).

Windows LAPS also rotates the passwords to thwart pass-the-hash and lateral-transversal attacks. The feature is available for Microsoft Entra ID-joined and hybrid-joined devices. Windows LAPS offers access control list and password encryption options, which are supported through Microsoft Entra ID. Microsoft has recently added support for audit logs and Entra ID role-based access control policies.

Microsoft suggests that administrators should activate the Windows LAPS feature within their organization. IT professionals can manage Windows LAPS using Microsoft Intune or manually deploy the policy through Registry modification or Local Computer Group Policy. Furthermore, policies can be deployed via the Windows LAPS Group Policy Object (GPO) for Microsoft Entra hybrid joined devices.

New features coming to Windows LAPS

With Windows LAPS, Microsoft Intune customers can configure settings (such as password age, complexity, and length) for local administrator accounts on a Windows machine. Moreover, it’s possible to specify the rotation schedule and storage location of passwords. Microsoft Intune also offers reporting capabilities that provide details about manual and scheduled password rotation activities.

Microsoft plans to add automatic local administrator account creation capabilities for devices configured for Windows LAPS. The company will also introduce just-in-time controls for self-service local administrator password recovery by device owners. Entra ID notifications will be triggered when a local administrator password is used for authentication. However, there is no word on when these features will be available for commercial customers.