Resetting the managed local administrator password when using Windows LAPS

This week is a quick follow-up on the post of last week. Last week was all about getting started with Windows Local Administrator Password Solution (Windows LAPS), while this week is more specifically focussed on rotating the managed local administrator password. There are multiple methods for rotating – and with that, resetting – that managed local administrator password. In the end, that all comes down to the same, or similar, technology that’s used to achieve that goal. Besides that, it’s also good to know what doesn’t work when the password of the local administrator account is managed. This post will show just that, followed with the different methods for rotating the managed local administrator account.

Manually resetting the password via Computer Management

Before using Windows LAPS, one of the easy methods for resetting the local administrator account was by doing it locally. Either by using PowerShell, or by manually using Computer Management. When looking at the latter method in more detail, as it’s more visual, it will immediately become clear that the password of the managed local administrator account is managed by Windows LAPS. Simply walk through the following two steps and experience the behavior with a managed account.

  1. Open Computer Management and navigate to System Tools > Local Users and Groups > Users
  2. Right-click the managed local administrator account and click Set Password…

Automatically rotating the password via Microsoft Intune

When looking at resetting the password of the managed local administrator account, the most obvious is configuring the automatic reset behavior after using the account and the automatic reset behavior after a configured period of time. That behavior can be configured by using the Account protection profile type of Local admin password solution (Windows LAPS). The following eight steps walk through the configuration of the different settings that influence the automatic rotation behavior of the password of the managed local administrator account.

  1. Open Microsoft Intune admin center and navigate to Endpoint security > Account protection
  2. On the Endpoint security | Account protection page, click Create Policy
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select Windows 10 and later as value
  • Profile: Select Local admin password solution (Windows LAPS) as value
  1. On the Basics page, specify a valid name to distinguish the policy from other similar policies and click Next
  2. On the Configuration settings page, as shown below in Figure 2, provide at least the following information and click Next
  • Backup Directory: Select Backup the password to Azure AD only to make sure that it’s stored in Azure AD
    • With Password Age Days switch the slider to Yes to enable password age and specify the password age in days to make sure that the password will rotate after the specified number of days
  • With Post Authentication Reset Delay switch the slider to Yes to enable the password reset delay configuration and specify the reset delay in hours to make sure that the password will rotate after the specified number of hours
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, configure the required assignment by selecting the applicable group and click Next
  3. On the Create + Review page, review the configuration and click Create

Manually rotating the password via Microsoft Intune

Besides automatically rotating the password of the managed local administrator account, Microsoft Intune can also be used to manually rotate the password. That rotate will basically reset the password and can be easily achieved by using Remote Actions. The following two steps walk through the process of manually rotating the password.

  1. Open Microsoft Intune admin center and navigate to Devices > All devices
  2. On the Devices | All devices page, select the specific device and click Rotate local admin password

Manually resetting the password via Windows LAPS CSP

After being familiar with using Microsoft Intune for resetting the password of the managed local administrator account, it’s also important to be familiar with the technology used for triggering that behavior. Microsoft Intune relies on the Windows LAPS CSP locally on the device. That CSP can be used to configure the password rotation behavior of the managed local administrator account. Besides that, it also contains a node that can be used to manually reset password. These actions are basically the actions that Microsoft Intune also performs. Many actions that are available via the CSPs, can also be performed locally by using the Windows MDM Bridge to WMI provider. This, however, is currently an exception, as it’s not available via the MDM Bridge. The node below, is used to reset the password of the managed local administrator account.

./Device/Vendor/MSFT/LAPS/Actions/ResetPassword

Manually resetting the password via PowerShell

When looking at the local options for resetting the password of the managed local administrator account, it’s also good to be familiar with the PowerShell cmdlets for LAPS that are provided by Microsoft. Besides cmdlets for retrieving information and configuring Windows LAPS, those cmdlets also contain the Reset-LapsPassword cmdlet. That cmdlet can be used to locally reset the password of the managed local administrator account, as shown below.

Reset-LapsPassword

More information

For more information about Windows Local Administrator Password Solution, refer to the following docs.

4 thoughts on “Resetting the managed local administrator password when using Windows LAPS”

  1. “With Post Authentication Reset Delay switch the slider to Yes to enable the password reset delay configuration and specify the reset delay in days to make sure that the password will rotate after the specified number of days”

    Should it not be hours instead of days ?

    Reply
  2. Peter, if Post Authentication Reset Delay is set to 0, does that mean the password is reset on use? If not, how can I achieve this?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.