140: Windows LAPS

Overview

Windows Local Administrator Password Solution (LAPS) in Microsoft Entra and Intune is a powerful tool for managing local administrator passwords securely. Here's a detailed overview:

Benefits

1. Enhanced Security: Windows LAPS ensures that each device has a unique, complex local administrator password, reducing the risk of unauthorized access.
2. Centralized Management: Intune provides a centralized platform for managing local admin passwords, simplifying administration.
3. Automated Password Rotation: Automatically rotates passwords on a schedule, ensuring they remain secure.
4. Compliance: Helps meet regulatory requirements by ensuring secure management of local admin account passwords.
5. Simple Setup: Configuration of Windows LAPS itself is easy, requiring very few changes.

Drawbacks

1. Migration from Legacy Microsoft LAPS: Migrating from on-prem Legacy LAPS can require planning and testing: Get started with Windows LAPS deployment and migration scenarios | Microsoft Learn
2. Changes to Helpdesk Processes: To achieve success using the managed LAPS account, it is imperative to understand what changes to Helpdesk access and processes will be required to be updated.

Impact on End Users

• Improved Security: Users benefit from enhanced security without needing to take additional actions.
• Minimal Disruption: Properly configured Windows LAPS can be deployed with minimal disruption to users.
• Recovery Support: Users have access to recovery options if they forget their local admin password.

Steps to Deploy Windows LAPS

1. Enable Windows LAPS: In the Azure Active Directory (AAD) or Microsoft Entra Admin portal, navigate to Devices > All devices > Device Settings. Toggle the option to enable Microsoft Entra Local Administrator Password Solution (LAPS) to "Yes" and save.
2. Configure Intune Policies: In Intune, create a new policy for account protection and configure the LAPS settings, including password complexity and rotation schedule.
3. Assign Policies: Assign the LAPS policy to the appropriate groups of devices or users.
4. Monitor and Adjust: Continuously monitor the deployment and make adjustments as needed.

Tying to Zero Trust

Zero Trust is a security model that assumes no implicit trust and continuously verifies every request. Deploying Windows LAPS through Intune aligns with Zero Trust principles by:

• Ensuring Secure Access: Windows LAPS enforces unique, complex passwords for local admin accounts, ensuring only authorized access.
• Continuous Verification: Regularly updated passwords help maintain secure access, aligning with the continuous verification aspect of Zero Trust.
• Reducing Attack Surface: By managing local admin passwords centrally, Windows LAPS reduces the potential attack surface.

Notes

The intention of Windows LAPS is for helpdesk support scenarios and not end-users. For scenarios requiring end-user elevation, investigate an Endpoint Privilege Management solution, such as EPM.

Reference

• What is Windows LAPS?: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
• Manage Windows LAPS with Microsoft Intune policies: https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview
• External Blog: Set up Windows LAPS with Intune: A Step-by-Step Guide - Prajwal Desai. https://www.prajwaldesai.com/set-up-windows-laps-with-intune/
• External Blog: Implement LAPS With Intune: A Comprehensive Guide - CloudInfra. https://cloudinfra.net/implement-laps-with-intune-a-comprehensive-guide/