How to Manage Local Admin Accounts on Entra-Joined Intune Devices with Windows LAPS

Local Admin Account Strategy for Entra-Joined, Intune-Managed Devices with Windows LAPS

Managing local admin access used to be simple in on-premises Active Directory: enable the built-in Administrator account, rename it, and control the password with Group Policy or legacy LAPS.

In a cloud-only world with Entra-joined, Intune-managed devices, things are different. Devices may never see a domain controller, and the classic GPO tricks don’t apply. At the same time, you still need a safe way to get local admin access when Intune or Entra are having a bad day.

This is exactly where Windows LAPS + Intune becomes your standard pattern.

---

Problem: Local Admins on Entra-Joined Intune Devices

On Entra-joined, Intune-managed Windows devices:

• The built-in Administrator account is disabled by default.
• If a device is unregistered/unjoined from Entra or removed from Intune, any Intune policies that were enabling/renaming that built-in account can be reverted.
• If you rely on a single local admin account with a shared password, you:
  • Lose track of who used it and when.
  • End up emailing or storing admin passwords in unsafe places.
  • Increase the blast radius if that password leaks.

The Reddit thread you summarized hits the key pain point:

“Do we need to create a separate local admin account on Intune devices instead of relying on the built-in administrator?”

The short answer today is:

• Yes, you should rely on LAPS-managed local admin accounts, not static ones.
• On Windows 11 24H2 and later, you can even let LAPS auto-create and manage a unique local admin account per device. (Reddit)

---

Why the Old GPO Approach Doesn’t Map Cleanly

In classic on-prem AD:

• GPO enables and renames the built-in Administrator account.
• Legacy Microsoft LAPS rotates the password and stores it in AD.

In a cloud-only or Entra-first setup:

• There’s no GPO for Entra-joined-only devices.
• Legacy LAPS (the old MSI) is replaced by Windows LAPS, built into modern Windows builds. (Microsoft Learn)
• Windows LAPS can back up passwords to:
  • Microsoft Entra ID, or
  • Active Directory, or
  • Local-only (not recommended for most orgs).

Also important:

• LAPS is supported only on Entra joined or hybrid-joined devices, not on Entra-registered-only (BYOD) devices. (Microsoft Learn)

So for corporate, Entra-joined, Intune-managed devices, your design should be:

“Use Windows LAPS + Intune + Entra ID as the single source of truth for local admin passwords.”

---

Solution Design: Use Windows LAPS as Your Local Admin Backbone

Here’s the high-level design that fits most modern environments.

1. Use Windows LAPS with Entra ID Backup

• Enable Windows LAPS in your tenant so passwords are stored in Microsoft Entra ID, not on-prem AD. (Microsoft Learn)
• Use Intune to deploy and manage all LAPS settings via the Windows LAPS CSP. (Microsoft Learn)

2. Decide Your Target Local Admin Strategy

You have two main options:

1. Built-in Administrator as LAPS account
   • Use LAPS to manage the built-in Administrator account.
   • Simple, but the account name is well-known (though you can rename it via policy).
2. Dedicated LAPS-managed local admin account (recommended)
   • Configure LAPS to manage a separate local admin account.
   • On Windows 11 24H2, you can use automatic account management to:
     • Auto-create the account.
     • Control the name or prefix.
     • Randomize the name per rotation.
     • Enable or disable the account as needed. (Reddit)

For Entra-joined devices, this second option is usually better:

• You get a unique local admin account per device.
• The name and password are unknown to users and staff unless explicitly retrieved.
• Compromise of one account doesn’t help on any other device.

3. Keep the Local Administrators Group Tight

Use Intune (e.g. Local user group membership policy / Account protection, or Settings catalog) to ensure:

• Only:
  • The LAPS-managed local admin account, and
  • The Entra Device Administrator role (or a specific admin group)
    are members of the local Administrators group. (Simon 365 Solutions)

No extra “just in case” local admins hanging around.

4. Treat De-Registration/Unjoin as Decommission

If a device is:

• Removed from Intune
• Unjoined from Entra

Then you should treat it as:

“This device is being decommissioned or re-imaged.”

LAPS is meant to help you while the device is still managed, not to keep a permanent backdoor after it leaves management.

---

How to Configure Windows LAPS with Intune (Step-by-Step)

This section gives you a concrete walkthrough you can turn into screenshots and step blocks.

Prerequisites

Make sure:

1. OS support
   • Windows 10 / 11 versions that include Windows LAPS (built-in) via the April 2023 or later cumulative updates.
2. Join type
   • Devices are Microsoft Entra joined or hybrid joined (not just Entra registered). (Microsoft Learn)
3. Licensing
   • Windows LAPS itself is available with Entra ID Free or higher; Intune and other advanced features have their own licensing. (Microsoft Learn)
4. MDM
   • Devices are enrolled in Microsoft Intune.

---

Step 1 – Enable Windows LAPS in Entra ID

1. Go to the Entra admin center.
2. Browse to Devices > Device settings.
3. Find Enable Local Administrator Password Solution (LAPS).
4. Set it to Yes and save. (Microsoft Learn)

This tells Entra ID to accept and store local admin passwords coming from your devices.

---

Step 2 – Create the LAPS Policy in Intune

1. Open the Intune admin center.
2. Go to Endpoint security > Account protection.
3. Select Create Policy. (Microsoft Learn)
4. Set:
   • Platform: Windows 10 and later
   • Profile: Local admin password solution (Windows LAPS)
5. Click Create.

On the Basics tab:

• Give the profile a clear name, e.g.
  WIN – LAPS – Entra – Automatic Account
• Add a description with scope (e.g. “Applies to all Entra-joined corporate laptops”).

Click Next.

---

Step 3 – Configure LAPS Settings (Core Settings)

In the Configuration settings tab, configure at least:

1. Backup directory
   • Set to Microsoft Entra ID (or “Azure AD” depending on UI wording). (Microsoft Learn)
2. Administrator account name (target account)
   • Option A: Leave it to target the built-in Administrator (not ideal).
   • Option B (better): Enter a name like locadmin or a generic prefix to be used with automatic management (see 24H2 section below). (Microsoft Learn)
3. Password policies
   • PasswordLength (e.g. 16 or higher).
   • PasswordComplexity (e.g. “Large letters + small letters + numbers + special characters” or passphrase mode on supported builds).
   • PasswordAgeDays (e.g. 1–7 days depending on your risk tolerance). (Microsoft Learn)
4. Post-authentication actions
   • Decide how to handle the account after someone uses the LAPS password:
     • Only rotate password.
     • Rotate + sign out user.
     • On newer builds, terminate processes started using that account for extra safety. (Microsoft Learn)

Configure these according to your support model and security requirements.

Click Next when finished.

---

Step 4 – (Windows 11 24H2+) Enable Automatic Account Management

If you are targeting Windows 11 24H2 and later, you get extra options under the same profile for Automatic account management. (Reddit)

Look for settings similar to:

• Automatic Account Management Enabled
  • Set to: The target account will be automatically managed.
• Automatic Account Management Enable Account
  • Choose whether the account is always enabled or only when needed (depending on policy options available in your UI).
• Automatic Account Management Name or Prefix
  • Example: LAPS-ADM- (LAPS will add a random numeric suffix if configured).
• Automatic Account Management Randomize Name
  • Set to: The name of the target account will use a random numeric suffix.
• Automatic Account Management Target
  • Specify which account to manage. Often this will align with your AdministratorAccountName setting.

With this mode:

• Windows will automatically create and manage the local admin account.
• The account name can change on each rotation, making it even harder to guess.
• Passwords are stored in Entra ID and managed by LAPS.

This is the cleanest long-term design for Windows 11 24H2+ fleets.

---

Step 5 – Assign the Policy to the Right Groups

On the Assignments page:

1. Assign to appropriate device groups, for example:
   • All Windows Corporate Devices, or
   • Specific pilot groups (e.g. WIN – Pilot – LAPS).
2. Exclude:
   • Test or lab devices if needed.
   • Devices that are not yet ready (e.g. legacy OS).

Click Next, review, then Create.

Intune will now push LAPS settings to your devices.

---

Step 6 – Configure Local Administrators Group Clean-Up (Optional but Recommended)

To avoid random local admins:

• Use an Account protection profile or Settings catalog / Local users and groups policy to manage membership of the Administrators group. (Simon 365 Solutions)

Common design:

• Replace the contents with:
  • The LAPS-managed account, and
  • The Entra Device Administrator role SID or a specific Entra security group for local admins.

This ensures:

• No legacy “Admin2 / SupportAdmin / HelpdeskLocal” accounts stay behind.
• Admins must either:
  • Use role-based local admin rights, or
  • Use the LAPS account on a per-device basis.

---

Step 7 – How to Retrieve LAPS Passwords

You can retrieve passwords via:

1. Intune admin center
   • Go to Devices > All devices > [select device].
   • Look for the Local admin password / LAPS section (naming may change slightly over time). (Microsoft Learn)
2. Entra admin center
   • Go to Devices > All devices > [device].
   • Open the Local administrator password blade (when backed up to Entra ID). (Microsoft Learn)
3. PowerShell / Microsoft Graph
   • Use Get-LapsAADPassword which wraps Microsoft Graph and reads from Entra ID. (Microsoft Learn)

Make sure you restrict who can view these passwords using Entra ID custom roles / RBAC, not just Global Admin. (Microsoft Learn)

---

Best Practices for Admin Account Management on Cloud-Joined Devices

You can wrap up the blog with a simple checklist like this:

• Don’t create a single shared local admin account per tenant with a static password.
• Do:
  • Use Windows LAPS with Entra ID backup.
  • Enable Automatic account management on Windows 11 24H2+.
  • Keep the local Administrators group clean and minimal.
  • Limit who can view LAPS passwords with Entra RBAC.
  • Treat Entra unjoin / Intune de-registration as decommission – wipe or re-image instead of keeping hidden backdoors.
• For older OS versions:
  • Use LAPS in manual account management mode.
  • Create the local admin account via script/provisioning, then hand it over to LAPS.

---

Conclusion

Managing local admin accounts on Entra-joined, Intune-managed devices is no longer about GPO and the built-in Administrator. The modern pattern is:

Intune + Windows LAPS + Entra ID = per-device, tightly controlled, auditable local admin.

With Windows 11 24H2, Microsoft has made this even cleaner by automatically creating and managing a dedicated local admin account per device. You get strong security, good break-glass options, and far less password chaos.