LAPS
Local Administrator Password Solution (LAPS) automatically manages and rotates local administrator passwords on Windows devices. Passwords are stored securely in Azure AD.
Note: Requires Windows 10 21H2+ with April 2023 update, or Windows 11 21H2+.
Configuration
| Setting | Options |
|---|---|
| Enable LAPS | Yes / No |
| Backup Directory | Azure AD |
| Password Age (days) | 1-365 (default: 30) |
| Administrator Account | Built-in admin / Custom name |
| Password Length | 8-64 characters |
| Complexity | Large + small + numbers + specials |
Post-Authentication Actions
- Reset password — Generate new password after use
- Reset and logoff — Reset and force logoff admin sessions
- Reset and reboot — Reset and reboot device
- Grace period — Hours before action executes
Password Retrieval
Admin Portal
- Navigate to device details
- Select Local Admin Password
- View current password and expiration
- Password masked by default; click to reveal
Azure AD Portal
Device object > Local Administrator Password Recovery.
PowerShell
Get-LapsAADPassword -DeviceIds <deviceId>Password Rotation
Passwords rotate automatically based on configured age. Manual rotation can be triggered by admin. New key generated and stored in Azure AD.
Access Control
- Cloud Device Administrator — Can view all LAPS passwords
- Intune Administrator — Can view all LAPS passwords
- Custom RBAC roles — Assign specific permissions
- Audit logging — All retrievals logged
Monitoring
- Devices with LAPS enabled vs. not
- Password rotation success/failure
- Password age and upcoming rotations
- Access audit trail
Best Practices
- Enable LAPS on all Windows devices
- Set password age to 30 days or less
- Use post-authentication reset
- Restrict retrieval to authorized admins
- Audit all access regularly
API Reference
GET /api/devices/security/laps/status— Get statusGET /api/devices/security/laps/:deviceId— Get passwordPOST /api/devices/security/laps/:deviceId/rotate— Trigger rotationGET /api/devices/security/laps/audit— Get audit log
Last updated on