メインコンテンツへスキップ

140: Windows LAPS

Overview

Windows Local Administrator Password Solution (LAPS) in Microsoft Entra and Intune is a powerful tool for managing local administrator passwords securely. Here's a detailed overview:

Benefits

  1. Enhanced Security: Windows LAPS ensures that each device has a unique, complex local administrator password, reducing the risk of unauthorized access.
  2. Centralized Management: Intune provides a centralized platform for managing local admin passwords, simplifying administration.
  3. Automated Password Rotation: Automatically rotates passwords on a schedule, ensuring they remain secure.
  4. Compliance: Helps meet regulatory requirements by ensuring secure management of local admin account passwords.
  5. Simple Setup: Configuration of Windows LAPS itself is easy, requiring very few changes.

Drawbacks

  1. Migration from Legacy Microsoft LAPS: Migrating from on-prem Legacy LAPS can require planning and testing: Get started with Windows LAPS deployment and migration scenarios | Microsoft Learn
  2. Changes to Helpdesk Processes: To achieve success using the managed LAPS account, it is imperative to understand what changes to Helpdesk access and processes will be required to be updated.

Impact on End Users

  • Improved Security: Users benefit from enhanced security without needing to take additional actions.
  • Minimal Disruption: Properly configured Windows LAPS can be deployed with minimal disruption to users.
  • Recovery Support: Users have access to recovery options if they forget their local admin password.

Steps to Deploy Windows LAPS

  1. Enable Windows LAPS: In the Azure Active Directory (AAD) or Microsoft Entra Admin portal, navigate to Devices > All devices > Device Settings. Toggle the option to enable Microsoft Entra Local Administrator Password Solution (LAPS) to "Yes" and save.
  2. Configure Intune Policies: In Intune, create a new policy for account protection and configure the LAPS settings, including password complexity and rotation schedule.
  3. Assign Policies: Assign the LAPS policy to the appropriate groups of devices or users.
  4. Monitor and Adjust: Continuously monitor the deployment and make adjustments as needed.

Tying to Zero Trust

Zero Trust is a security model that assumes no implicit trust and continuously verifies every request. Deploying Windows LAPS through Intune aligns with Zero Trust principles by:

  • Ensuring Secure Access: Windows LAPS enforces unique, complex passwords for local admin accounts, ensuring only authorized access.
  • Continuous Verification: Regularly updated passwords help maintain secure access, aligning with the continuous verification aspect of Zero Trust.
  • Reducing Attack Surface: By managing local admin passwords centrally, Windows LAPS reduces the potential attack surface.

Notes

The intention of Windows LAPS is for helpdesk support scenarios and not end-users. For scenarios requiring end-user elevation, investigate an Endpoint Privilege Management solution, such as EPM.

Reference