140: Windows LAPS
Overview
Windows Local Administrator Password Solution (LAPS) in Microsoft Entra and Intune is a powerful tool for managing local administrator passwords securely. Here's a detailed overview:
Benefits
- Enhanced Security: Windows LAPS ensures that each device has a unique, complex local administrator password, reducing the risk of unauthorized access.
- Centralized Management: Intune provides a centralized platform for managing local admin passwords, simplifying administration.
- Automated Password Rotation: Automatically rotates passwords on a schedule, ensuring they remain secure.
- Compliance: Helps meet regulatory requirements by ensuring secure management of local admin account passwords.
- Simple Setup: Configuration of Windows LAPS itself is easy, requiring very few changes.
Drawbacks
- Migration from Legacy Microsoft LAPS: Migrating from on-prem Legacy LAPS can require planning and testing: Get started with Windows LAPS deployment and migration scenarios | Microsoft Learn
- Changes to Helpdesk Processes: To achieve success using the managed LAPS account, it is imperative to understand what changes to Helpdesk access and processes will be required to be updated.
Impact on End Users
- Improved Security: Users benefit from enhanced security without needing to take additional actions.
- Minimal Disruption: Properly configured Windows LAPS can be deployed with minimal disruption to users.
- Recovery Support: Users have access to recovery options if they forget their local admin password.
Steps to Deploy Windows LAPS
- Enable Windows LAPS: In the Azure Active Directory (AAD) or Microsoft Entra Admin portal, navigate to Devices > All devices > Device Settings. Toggle the option to enable Microsoft Entra Local Administrator Password Solution (LAPS) to "Yes" and save.
- Configure Intune Policies: In Intune, create a new policy for account protection and configure the LAPS settings, including password complexity and rotation schedule.
- Assign Policies: Assign the LAPS policy to the appropriate groups of devices or users.
- Monitor and Adjust: Continuously monitor the deployment and make adjustments as needed.
Tying to Zero Trust
Zero Trust is a security model that assumes no implicit trust and continuously verifies every request. Deploying Windows LAPS through Intune aligns with Zero Trust principles by:
- Ensuring Secure Access: Windows LAPS enforces unique, complex passwords for local admin accounts, ensuring only authorized access.
- Continuous Verification: Regularly updated passwords help maintain secure access, aligning with the continuous verification aspect of Zero Trust.
- Reducing Attack Surface: By managing local admin passwords centrally, Windows LAPS reduces the potential attack surface.
Notes
The intention of Windows LAPS is for helpdesk support scenarios and not end-users. For scenarios requiring end-user elevation, investigate an Endpoint Privilege Management solution, such as EPM.
Reference
- What is Windows LAPS?: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
- Manage Windows LAPS with Microsoft Intune policies: https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview
- External Blog: Set up Windows LAPS with Intune: A Step-by-Step Guide - Prajwal Desai. https://www.prajwaldesai.com/set-up-windows-laps-with-intune/
- External Blog: Implement LAPS With Intune: A Comprehensive Guide - CloudInfra. https://cloudinfra.net/implement-laps-with-intune-a-comprehensive-guide/