Set Up Windows 10/11 LAPS to Auto-Rotate Local Admin Passwords (Step-by-Step)
Difficulty: Intermediate | Time Required: 30 minutesCategory: Security & Privacy
Local administrator accounts are a common target for attackers—especially when the same password is reused across multiple PCs. Windows LAPS (Local Administrator Password Solution) fixes this by automatically generating unique, random local admin passwords per device and rotating them on a schedule, while storing the current password securely in your directory (Azure AD / Entra ID or on-prem Active Directory).
This guide walks you through setting up Windows LAPS on Windows 10/11 so passwords rotate automatically and authorized admins can retrieve them when needed.
Prerequisites
Before you start, confirm the following:- A managed environment, either:
- Microsoft Entra ID (Azure AD) + Intune (cloud-managed), or
- On-prem Active Directory with Group Policy (domain-managed)
- Supported Windows versions
- Windows 11: supported (modern LAPS built-in)
- Windows 10: supported, but ensure you’re on a recent cumulative update where Windows LAPS is available
- Admin rights in your management platform:
- Intune/Entra: Intune admin + appropriate RBAC for password retrieval
- AD: Domain Admin or delegated rights to extend schema and set permissions
Note: “Windows LAPS” (the modern Microsoft solution) replaces the older “Microsoft LAPS” MSI-based client. If you’re using Intune/Entra, you should be using Windows LAPS.
Step-by-step: Set up Windows LAPS with Microsoft Intune (Entra ID)
This is the most common setup for Windows 10/11 cloud-managed PCs.1) Confirm devices are Intune-managed
- On a target PC, open Settings → Accounts → Access work or school.
- Confirm it shows your organization and that the device is managed.
- In the Intune admin center, verify the device appears under Devices.
Tip: If the device is only “Entra joined” but not enrolled in Intune, LAPS policies won’t apply until enrollment is complete.
2) Create a Windows LAPS policy in Intune
- Go to the Intune admin center.
- Navigate to: Endpoint security → Account protection.
- Choose Create policy.
- For platform, select Windows 10 and later.
- For profile type, select Local admin password solution (Windows LAPS).
- Name the policy (example:
Windows LAPS - Password Rotation) and proceed.
3) Configure LAPS settings (recommended baseline)
In the policy settings, configure the following:- Backup directory: Choose Azure AD (Entra ID).
- Password age (days): Set a rotation interval (example: 30 days).
- Password length: Example 16 (longer is better).
- Password complexity: Use a strong setting (upper/lower/numbers/special).
- Administrator account name:
- If you use the built-in local Administrator, leave default (or manage via separate policy).
- If you use a custom local admin account, specify it here.
Warning: If you specify a custom admin account name that doesn’t exist on endpoints, password rotation may not work as expected. Create/standardize the local admin account first (for example, with an Intune account protection policy or script).
4) Assign the policy to devices
- In the Assignments section, select the target device group(s).
- Save the policy.
5) Force a policy sync and verify on a device
On a test PC:- Go to Settings → Accounts → Access work or school.
- Select your org connection → Info → Sync.
- Wait a few minutes.
- Open Event Viewer → Applications and Services Logs → Microsoft → Windows → LAPS (if present on your build)
- Or check in Intune that the policy shows Succeeded for the device.
Tip: Don’t roll out to the entire fleet first. Test with 1–5 devices to validate retrieval permissions and rotation behavior.
6) Retrieve the rotated local admin password (Entra / Intune)
Retrieval depends on your environment and role permissions.- In the Intune admin center, go to Devices → select the device.
- Look for the Local administrator password / LAPS section (wording can vary by portal updates).
- Use Show (or similar) to reveal the password and copy it for break-glass access.
Security note: Restrict who can retrieve LAPS passwords using Intune RBAC roles. Treat retrieval like access to a privileged secret.
Step-by-step: Set up Windows LAPS with on-prem Active Directory (Group Policy)
If your devices are AD domain-joined and managed via Group Policy, use this path.1) Extend the AD schema (one-time)
Windows LAPS stores passwords in AD attributes. Your AD schema must include them.- On a management machine with RSAT and appropriate rights, open PowerShell as an admin.
- Run the schema update command for Windows LAPS (Microsoft provides cmdlets for this; exact cmdlet name depends on the module/version available in your environment).
Warning: Schema changes are forest-wide and typically irreversible. Follow your organization’s change control process and do this during a maintenance window.
2) Delegate permissions to store and read passwords
You should delegate:- Computers: permission to write their own password attribute
- Helpdesk/IT: permission to read the password attribute
- In Active Directory Users and Computers (ADUC), identify the OU containing your PCs.
- Use delegation or PowerShell to grant:
- Write permission for computers to update their own LAPS attributes
- Read permission for approved admin groups to retrieve passwords
Tip: Create a group likeLAPS Password Readersand delegate read permissions only to that group.
3) Create and link a Group Policy object (GPO)
- Open Group Policy Management.
- Create a new GPO (example:
Windows LAPS - Rotation Policy) and link it to the PC OU. - Edit the GPO and locate the Windows LAPS policy settings (under Administrative Templates; exact path can vary by ADMX version).
- Enable LAPS management
- Password complexity and length
- Password rotation interval (age)
- Configure which local admin account is managed
- Configure backup to Active Directory
4) Update policy and confirm
On a test machine:- Run
gpupdate /forcein an elevated Command Prompt. - Reboot if required by your policy setup.
- Confirm the computer object in AD has updated LAPS attributes.
- Use your approved retrieval method/tool (often via ADUC attribute viewer or a dedicated LAPS UI/tooling depending on your environment).
Tips, warnings, and troubleshooting
Common tips
- Use unique local admin accounts (or manage the built-in Administrator) consistently across devices.
- Set rotation to a reasonable cadence: 14–30 days is common.
- Restrict retrieval permissions: LAPS is only as secure as who can read the stored secret.
- Log access where possible (role auditing, admin center logs, SIEM ingestion).
Troubleshooting checklist
- Policy not applying
- Intune: confirm the device is enrolled, online, and targeted by the policy; trigger sync.
- GPO: confirm OU linking, security filtering, and run
gpresult /r.
- Password not rotating
- Verify the managed local admin account exists and is enabled.
- Check Event Viewer for LAPS-related logs (where available).
- Confirm the backup target (Entra/AD) is configured correctly.
- Can’t retrieve the password
- You likely lack permissions (Intune RBAC or AD delegated rights).
- Confirm you’re using the correct portal path/tool and the device has successfully backed up a password.
Warning: Don’t use LAPS passwords as everyday admin credentials. They are designed for controlled, audited administrative access when needed.
Conclusion
Windows LAPS is one of the simplest, highest-impact upgrades you can make to endpoint security: it eliminates shared local admin passwords, reduces lateral movement risk, and gives IT a reliable “break-glass” method for local access—all while keeping password handling centralized and auditable.Key Takeaways:
- Auto-rotates unique local admin passwords per device to reduce attack spread
- Centralizes password storage in Entra ID/Intune or on-prem AD with controlled access
- Improves operational security without requiring daily manual password management
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
