Until recently, Microsoft’s Local Administrator Password solution (LAPS) has been restricted to Active Directory joined machines only, this has now changed with the introduction of Windows LAPS which includes Azure Active Directory joined Windows devices in addition to legacy Active Directory machines.
This now means that the local administrator account (whether named administrator or not) can have a randomly set password that can be changed at a frequency to suit the environment which is then stored in Azure Active Directory.
Intune LAPS policies provide the configuration and allow for Active Directory only joined machines to continue to store the credential in their directory but for hybrid and Azure AD only joined devices the password can be stored within Azure Active Directory.
Access to the local administrator password is restricted to accounts with either the microsoft.directory/deviceLocalCredentials/password/read or microsoft.directory/deviceLocalCredentials/standard/read permissions, which during the preview are not available to custom roles but are available to the built-in roles of Global Administrator and Cloud Device Administrator.
Windows LAPS is supported on both Windows 10 (20H2 and later) and Windows 11 (21H2 and later) providing they have the correct update applied (April 11 2023) and are covered by an Intune licence.
Whilst in preview the feature must be enabled via the Devices section within Azure Active Directory, and then applies to the whole tenant.
The policy that provides the settings to devices can be found under Endpoint security and Account protection
The policy provides a number of configurable options, these are dependent on the backup directory target selected
The policy allows for configuration of the age of the password, the name of the account (by default it will use administrator or its common SID) password complexity and its length.
Whilst the policy will support renamed administrator accounts, it will not automatically rename the built-in account to match the value entered and requires an additional policy to perform that action. Additionally, there can only be one policy applied against a machine so it is only possible to manage a single account.
Lastly, you are able to decide what happens when the password is updated which include just resetting the managed account to use the new password, or logging off the account and restarting.
The password for the account can be found within the device object in Intune, providing the account has the required permissions.
