Windows LAPS – Automated Local Administrator Password Rotation for Small Businesses in Berlin
Every Windows endpoint has a local Administrator account. In most SMB environments, that account exists with the same password across every machine — set once during imaging, never rotated, and often undocumented. When a threat actor compromises one machine and extracts that credential via a memory dump or registry read, they gain instant lateral movement to every other device on the network. Windows LAPS (Local Administrator Password Solution) eliminates this problem by automatically generating, rotating, and storing unique local admin passwords per device, backed by either Entra ID or Active Directory.
Legacy LAPS vs. Windows LAPS
The original Microsoft LAPS was a standalone tool requiring an AD schema extension and Group Policy. It only supported on-premises AD environments. Windows LAPS (introduced natively in Windows 11 22H2, Windows 10 22H2, and Windows Server 2019+) is built into the OS and supports three backup targets:
| Backup Target | Environment | Management Plane |
|---|---|---|
| Entra ID | Entra-joined devices (cloud-only) | Intune / Entra portal |
| Active Directory | AD-joined devices (on-premises / hybrid) | AD schema + Group Policy |
| Entra ID (hybrid) | Hybrid Azure AD-joined devices | Intune with Entra backup |
For Berlin SMBs on M365 Business Premium with Intune-managed, Entra-joined devices, the target is Entra ID backup. No AD schema extension, no Group Policy — just an Intune policy and native OS functionality.
How Windows LAPS Works
- The Windows LAPS client (built into supported OS versions) generates a cryptographically random password for the designated local administrator account
- The password is encrypted and stored in Entra ID (or AD) against the device object
- After the configured rotation interval (or after the password is retrieved), a new password is generated automatically
- Authorized administrators retrieve the current password through the Intune portal, Entra portal, or the
Get-LapsAADPasswordPowerShell cmdlet — the password is never stored in plaintext and access is audited
The critical security properties are: every device has a unique password, the password rotates automatically, retrieval is access-controlled and logged, and no human ever needs to set or remember local admin credentials.
Intune Configuration for Entra-Joined Devices
Configuration path in Intune: Endpoint Security → Account Protection → Create Policy → Windows → Local admin password solution (Windows LAPS)
Key policy settings:
| Setting | Recommended Value | Notes |
|---|---|---|
| Backup directory | Azure Active Directory | Use for Entra-joined devices |
| Password age days | 30 | 30–90 day range typical; shorter = better hygiene |
| Password complexity | Large letters + small letters + numbers + special characters | Maximum complexity |
| Password length | 20 | Minimum 14; 20 is better for brute-force resistance |
| Administrator account name | Specify custom account name | Rename built-in Admin first, then target the renamed account |
| Post-authentication action | Reset password and log off | Forces immediate rotation after the password is used |
The Post-authentication action setting is security-critical. If an admin retrieves the LAPS password for legitimate troubleshooting and uses it to log in, you want that password rotated immediately after the session ends so the retrieved credential cannot be reused. Set the grace period (how long after first use before rotation triggers) to 4–8 hours.
Retrieving the Password
Three methods, all audited:
- Intune portal: Devices → select device → Local admin password → Show local administrator password
- Entra portal: Devices → All devices → select device → Local administrator password
- PowerShell:
Get-LapsAADPassword -DeviceIds "DeviceName" -IncludePasswords -AsPlainText(requires Microsoft.Graph.Identity.DirectoryManagement module)
Every retrieval is logged in the Entra ID audit log under Read LAPS password events. These audit events should feed into your SIEM (Microsoft Sentinel) to alert on unexpected retrievals — especially outside business hours or by accounts that don’t normally perform device administration.
Access Control for Password Retrieval
Password retrieval requires one of:
- Global Administrator
- Cloud Device Administrator
- Intune Administrator
- Custom role with
microsoft.directory/deviceLocalCredentials/password/readpermission
For least-privilege: create a custom Entra ID role with only the LAPS read permission and assign it to your helpdesk operators. Do not give helpdesk staff Global Admin or Intune Admin just for LAPS access. Use PIM to make this role eligible rather than permanent so retrieval requires an activation step with justification.
OS Version Pre-Requisites
Windows LAPS native support requires:
- Windows 11 22H2 (KB5025239) or later
- Windows 10 22H2 (KB5025221) or later
- Windows Server 2022 (KB5025230), 2019, 2016
Devices running older Windows 10 versions need to be updated first. For devices that cannot reach Windows 10 22H2, the legacy LAPS MSI can be deployed via Intune as a stopgap, though it only supports AD backup — you’d need on-premises AD for those devices.
Hardening Recommendations
- Rename the built-in Administrator account before deploying LAPS — attackers specifically target accounts named “Administrator”; a renamed account requires enumeration first
- Disable the built-in Administrator account and create a separate named local admin account that LAPS manages — this way even if someone guesses the built-in name, it’s disabled
- Block local account logon over the network via Group Policy or Intune (Security Options: Deny access to this computer from the network for local accounts) — LAPS passwords are for local console or RDP access, not lateral movement
- Alert on LAPS password retrievals in Sentinel with a rule targeting the audit log event category
Windows LAPS is one of the highest-ROI security controls available to SMBs because it eliminates the single most common credential-based lateral movement vector with near-zero operational overhead after initial deployment. If your Berlin business has Intune-managed endpoints and hasn’t deployed LAPS, this should be the next policy you create.