Windows LAPS & Local Group Management
Local admin accounts are a goldmine for attackers. Windows LAPS rotates their passwords automatically, and Intune can control who belongs to local groups β all from the cloud.
Why do local admin accounts matter?
Every Windows PC has a built-in local admin account β itβs like a master key hidden under the doormat.
If every device in your company uses the same local admin password (which is terrifyingly common), an attacker who discovers it on one machine can use it on ALL of them. Thatβs called a lateral movement attack β hopping from device to device using the same stolen credential.
Windows LAPS fixes this by giving each device a unique, randomly generated local admin password that changes automatically. The passwords are stored safely in Entra ID (or on-prem AD), and only authorised admins can view them.
How Windows LAPS works
Sam at Tui Solutions is rolling out LAPS across 500 devices. Hereβs the flow:
- Admin configures LAPS via Intune (endpoint security policy or device configuration profile)
- LAPS generates a unique, random password for the local admin account on each device
- Password is stored in Microsoft Entra ID (attached to the device object)
- Password rotates automatically based on the configured schedule (e.g., every 30 days)
- Authorised admins can view the current password in the Intune admin center or Entra admin center
- After use, the password can be manually rotated immediately for security
Configuration options
| Setting | Options | Samβs Choice |
|---|---|---|
| Backup directory | Entra ID (cloud) or on-prem AD | Entra ID (cloud-native) |
| Password age | 1-365 days | 30 days |
| Administrator account name | Default (built-in Administrator) or custom | Default |
| Password complexity | Letters + numbers, letters + numbers + symbols, etc. | Large letters + small letters + numbers + special characters |
| Password length | 8-64 characters | 14 characters |
| Post-authentication actions | Reset password, reset password + logoff, reset password + reboot | Reset password + logoff |
Exam tip: where are LAPS passwords stored?
The exam tests this: LAPS passwords are stored as a property of the device object in Microsoft Entra ID (for cloud-managed devices) or as a confidential attribute on the computer object in on-premises Active Directory.
For Entra ID-backed LAPS:
- View passwords in Intune admin center β Devices β select device β Local admin password
- View passwords in Entra admin center β Devices β select device β Local administrator password recovery
- Requires the Cloud Device Administrator or Intune Administrator role
The password is never stored in plain text on the device itself. The device encrypts it before sending it to Entra ID.
LAPS vs Legacy LAPS
| Feature | Windows LAPS (built-in) | Legacy LAPS (separate download) |
|---|---|---|
| Installation | Built into Windows 10/11 (April 2023 update+) | Separate MSI download + GPO extension |
| Password storage | Entra ID or on-prem AD | On-prem AD only |
| Management | Intune or GPO | GPO only |
| Encryption | Password encrypted in transit and at rest | Password stored as clear text in AD (older versions) |
| Cloud support | Yes (Entra ID) | No |
| Password history | Yes (viewable in Entra/Intune) | No |
| Post-auth actions | Automatic password rotation after use | Manual rotation only |
Key exam concept: Windows LAPS (the built-in version) replaces Legacy LAPS. For cloud-managed devices, passwords back up to Entra ID. For on-prem devices, they back up to AD. The exam focuses on the built-in version with Entra ID backup.
Managing local group membership with Intune
Beyond LAPS, Intune can control who belongs to local groups on Windows devices. This is critical because the local Administrators group gives full control of the device.
Why it matters
By default, the user who Entra-joins a device is added to the local Administrators group. In many organisations, standard users shouldnβt have local admin rights (least privilege principle). Intuneβs Account Protection or Device Configuration policies let you:
- Add specific Entra users or groups to local groups
- Remove users from local groups
- Replace the entire local group membership
Configuration methods
| Method | Where | How |
|---|---|---|
| Account Protection policy | Intune β Endpoint security β Account protection | Create a βLocal user group membershipβ policy |
| Device configuration profile | Intune β Devices β Configuration β Settings catalog | Search for βLocal Policies Security Optionsβ |
| Custom OMA-URI | Intune β Devices β Configuration β Custom profile | Use the Policy CSP LocalUsersAndGroups |
Common scenarios
| Scenario | Configuration |
|---|---|
| Remove all non-admin users from local Administrators group | Replace membership: add only IT admin group |
| Add helpdesk team to local Administrators on all devices | Add Entra group βHelpdeskβ to local Administrators |
| Standard users should not be local admins | Remove user from local Administrators; add to local Users |
| Specific group of developers need local admin on their dev machines | Create a targeted policy: add βDevelopersβ Entra group to local Administrators, target only dev device group |
Deep dive: local group management + EPM
Managing local groups and Endpoint Privilege Management (EPM) work together:
- Local group management removes users from the Administrators group β theyβre now standard users
- EPM (covered in Module 14) lets those standard users elevate specific apps when needed β without giving them permanent admin rights
This is the Zero Trust approach to local admin: remove standing admin access, then provide just-in-time elevation for specific tasks. Chen Wei at Meridian Bank uses both: standard users everywhere, EPM for approved apps that need admin rights.
π¬ Video walkthrough
Flashcards
Knowledge Check
Sam discovers that all 500 devices at Tui Solutions use the same local admin password: 'TuiAdmin2024!'. An attacker who compromises one device could access all of them. What's the best solution?
Chen Wei wants standard users at Meridian Bank to NOT have local admin rights on their devices. Currently, users who Entra-join their devices are automatically added to the local Administrators group. How should Chen Wei fix this?
Next up: Windows Autopilot: Choose Your Path β understanding the three Autopilot deployment modes and when to use each one.