Windows LAPS: Local Administrator Password Solution for Small Businesses in Berlin
Every Windows device ships with a built-in local Administrator account. In most small business environments, this account has the same password on every device — set during imaging and never changed. An attacker who captures that password once can move laterally across every device in the organization without triggering identity-based alerts, because they are using a legitimate local account that bypasses Entra ID Conditional Access entirely. Windows LAPS (Local Administrator Password Solution) eliminates this attack vector by automatically rotating the local Administrator password on each device and storing it securely in Microsoft Entra ID or Active Directory — a different, randomly generated password per device, rotated on a schedule.
Windows LAPS is built into Windows 10 22H2, Windows 11, and Windows Server 2019 and later. For Entra ID-joined devices, it requires only an Entra ID P1 license — already included in Microsoft 365 Business Premium. Deployment takes under an hour via Intune policy. The security return is immediate and permanent.
The Local Admin Password Problem
Local administrator accounts are a persistent blind spot in SMB security hardening. They exist outside the identity perimeter — they are not Entra ID accounts, they are not subject to Conditional Access policies, and compromise of a local admin credential does not trigger Entra ID risk signals. In environments where every device shares the same local admin password (a common result of image-based deployment), a single compromised device exposes every other device to immediate administrative access.
This is the mechanism behind a large proportion of ransomware deployments: initial access via phishing, credential harvest from one device, lateral movement using the shared local admin password, and mass deployment of ransomware from a single compromised account that exists on every machine. LAPS breaks this chain at the lateral movement step.
How Windows LAPS Works
Windows LAPS operates as a component of the Windows operating system, managed through a device configuration policy deployed via Intune (for Entra ID-joined devices) or Group Policy (for domain-joined devices). The workflow is straightforward:
- Policy assignment: A LAPS policy is pushed to devices via Intune, specifying the target local account, password complexity requirements, rotation interval, and storage location (Entra ID or on-premises AD).
- Password generation and upload: At each rotation interval, the LAPS component on the device generates a cryptographically random password meeting the policy requirements and uploads it encrypted to Entra ID (stored as a device attribute).
- Password rotation: The local Administrator account password is set to the newly generated value. The previous password is immediately invalidated.
- Authorized retrieval: IT administrators retrieve the current password for a specific device through the Intune admin center, the Entra ID portal, or via Microsoft Graph API — with full audit logging of every retrieval.
The result: every device has a unique local admin password known only to Entra ID, rotated automatically, and retrievable only by authorized personnel with full audit trail.
Prerequisites
For cloud-native LAPS with Entra ID storage (the recommended path for most Berlin SMBs):
- OS: Windows 10 22H2 (KB5025221+), Windows 11 21H2 (KB5025224+), Windows Server 2019 (KB5025229+), or Windows Server 2022 (KB5025230+). Earlier OS versions with the legacy LAPS MSI agent support on-prem AD only.
- Device join type: Entra ID-joined or Entra hybrid-joined. Workplace-registered (personal) devices are not supported.
- License: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium). Free-tier Entra ID supports LAPS with limited audit capabilities.
- Management: Microsoft Intune for policy deployment (or Group Policy for domain-joined hybrid devices).
Configuring Windows LAPS via Intune
Navigate to Intune admin center › Endpoint security › Account protection › Create policy › Windows 10 and later › Windows LAPS. The policy requires four decisions:
- Backup directory: Select “Azure Active Directory” (Entra ID) for cloud-native environments. Select “Active Directory” only if devices are domain-joined and you require on-prem storage.
- Password age (days): Microsoft recommends 7–30 days. Shorter intervals increase rotation frequency at marginal operational cost; longer intervals increase the window of exposure if a password is retrieved and not immediately used. 14 days is a reasonable default.
- Password complexity: Large letters + small letters + numbers + special characters is the recommended setting. Minimum length of 14 characters exceeds most compliance baselines.
- Administrator account name: Leave blank to target the built-in Administrator account (RID 500), or specify a custom local admin account name if you’ve renamed or created a dedicated account.
Assign the policy to the device group containing all Windows endpoints. Status in the Intune admin center shows “Succeeded” per device when the policy has been applied and the first password has been uploaded to Entra ID.
Enabling LAPS in Entra ID
Before the Intune policy takes effect, LAPS must be enabled at the Entra ID tenant level: Entra admin center › Devices › Device settings › Local administrator settings › Enable Azure AD Local Administrator Password Solution (LAPS) = Yes. This one-time tenant setting enables the infrastructure to accept LAPS password uploads from devices. Without it, devices apply the policy locally but cannot upload passwords to Entra ID — they will silently fail to store passwords, leaving the configuration incomplete.
Retrieving LAPS Passwords
When a technician needs local admin access to a specific device — for troubleshooting, reimaging, or incident response — they retrieve the current LAPS password through one of three methods:
- Intune admin center: Devices › [Device name] › Local admin password. The current password is displayed with its expiry date. Viewing the password triggers immediate rotation at next check-in (configurable).
- Entra ID portal: Devices › [Device name] › Local administrator password. Requires the “Local Device Administrator” role or equivalent.
- Microsoft Graph API: GET /devices/{id}/localCredentials — suitable for automated workflows or helpdesk tools that need programmatic access.
Every password retrieval is logged in the Entra ID audit log with the timestamp, the device, and the identity of the user who retrieved it. This provides the accountability trail required for privileged access policies and compliance audits.
Post-Authentication Rotation
Windows LAPS supports post-authentication rotation — automatically rotating the local admin password after it has been used for an interactive login or remote session. This ensures that even if a technician forgets to manually rotate after use, the password does not remain valid after the session ends. Configure this in the Intune policy: Post-authentication actions: Reset the password and logoff the managed account, with a grace period of 24 hours to allow the technician to complete their work before rotation occurs.
LAPS in Hybrid Environments
For Berlin businesses with existing on-premises Active Directory running alongside Entra ID (hybrid environments), Windows LAPS supports both storage targets. The recommended approach for hybrid environments: store LAPS passwords in Entra ID for Entra ID-joined devices and in on-premises AD for domain-joined devices. The legacy LAPS MSI agent (required for Windows versions before 22H2 and for pure on-prem storage) remains supported but Microsoft’s direction is Windows native LAPS with Entra ID storage.
Entra hybrid-joined devices — domain-joined and also registered in Entra ID — can use either storage target. Entra ID storage is preferred because it makes passwords accessible via the cloud portals and Graph API without requiring on-premises AD connectivity, which is the constraint that blocks many hybrid helpdesk workflows.
LAPS and the Broader Privileged Access Strategy
Windows LAPS addresses local accounts. The complementary controls for cloud-privileged accounts are Microsoft Entra Privileged Identity Management (for just-in-time elevation to admin roles) and Conditional Access (for requiring MFA and device compliance before any administrative access). Together, LAPS + PIM + Conditional Access closes the three primary privilege escalation paths: local account reuse across devices, standing cloud admin role assignments, and weak authentication for cloud admin operations.
For Berlin SMBs with NIS2 obligations, LAPS deployment satisfies the “privileged access management” technical measure that supervisory authorities are beginning to include in audit questionnaires. It is one of the highest-value, lowest-cost security controls available — free to license, rapid to deploy, and permanently effective against a class of attacks that has driven a substantial proportion of SMB ransomware incidents in Germany over the past three years.
Related Articles
- Microsoft Entra PIM: Windows LAPS manages local admin accounts on devices; PIM manages privileged cloud admin roles in Entra ID — together they close both local and cloud privilege escalation paths with automated rotation and just-in-time activation
- Microsoft Defender for Endpoint: LAPS and MDE provide complementary endpoint hardening — LAPS eliminates shared local admin credentials that enable lateral movement, MDE detects and contains threats on the devices LAPS protects
- Conditional Access: Enforce LAPS-managed device compliance in Conditional Access policies — require device health and compliant configuration as access conditions, ensuring devices with proper local credential management gain access to company resources