Encountering LAPS (Local Administrator Password Solution) MS365 Intune

  • This topic is empty.
  • Post
    • December 12, 2024 at 10:24 pm
    Weekend Wiki
    Keymaster
    When you’re encountering LAPS (Local Administrator Password Solution) prompting for a password change on . \admin after signing into Entra ID, it likely stems from a misconfigured LAPS policy or the default behavior enforcing password rotation. Here’s how to address it by disabling or modifying this behavior via Intune or Entra ID:

    1. Understand the Root Cause

    Microsoft’s LAPS is designed to enforce local administrator password rotation for added security. If the policy is applied via Intune or Group Policy, it will prompt for changes on the . \admin account periodically.

    2. Modify the LAPS Policy in Intune

    To stop the . \admin password prompt, adjust the LAPS policy settings via Intune:

    Step 1: Access Endpoint Manager

    1. Sign in to the Microsoft Intune Admin Center: https://endpoint.microsoft.com.
    2. Navigate to Devices > Configuration profiles.

    Step 2: Locate or Create the LAPS Configuration Profile

    1. Search for an existing LAPS (Local Administrator Password Solution) policy. If none exists, create a new one:
      • Create Profile > Platform: Windows 10 and later > Profile Type: Templates > Template Name: Local Administrator Password Solution (LAPS).
    2. Edit the policy settings.

    Step 3: Adjust the Password Rotation Settings

    1. Under Local administrator password policy, modify the following settings:
      • Password expiration (days): Set to 0 (disables automatic expiration).
      • Enable local admin password management: Set to No (disables LAPS entirely, if required).
    2. Save and deploy the updated configuration.

    3. Disable via Group Policy (if Intune Isn’t Used)

    If policies are applied via Group Policy:

    1. Open Group Policy Management on the domain controller.
    2. Locate the LAPS policy:
      • Navigate to: Computer Configuration > Administrative Templates > LAPS.
    3. Modify the setting:
      • Set Do not allow password expiration to Enabled.
    4. Force a Group Policy update: 
      gpupdate /force

    4. Verify Changes on the Device

    1. Sync the device with Intune:
      • Go to Settings > Accounts > Access work or school > Info > Sync.
    2. Test by logging into . \admin and confirming that the password change prompt no longer appears.

    5. Ensure Security Implications Are Considered

    Disabling LAPS entirely removes an additional layer of security. If you’re opting to disable it:

    • Ensure that local admin accounts are managed securely.
    • Use Conditional Access and Privileged Identity Management (PIM) to control administrative access.

    Let me know if you need step-by-step help with Intune, Group Policy, or security best practices! For consulting email ar [email protected]

  • You must be logged in to reply to this topic.
en_USEnglish
arArabic en_USEnglish