Shared Local Admin Passwords Are a Lateral Movement Gift. LAPS Ends That.
TL;DR
- Windows LAPS gives every device a unique, automatically rotated local admin password stored in Entra ID, at no extra cost beyond Intune.
- Reusing one local admin password across endpoints means a single compromised device can become a fleet-wide lateral movement incident.
- LAPS requires devices to be Entra joined or hybrid joined; Entra registered devices are not supported.
- Automatic account management, which creates and manages the local admin account for you, requires Windows 11 24H2 or later.
- Pair LAPS with standard user permissions for end users and you remove the two most common local admin mistakes in one project.
An attacker who lands on one workstation and finds a local admin password does the obvious next thing: tries it everywhere else. If that password is the same across the fleet, and in many environments it still is, one phished user becomes a company-wide incident in an afternoon.
That reused password is one of two habits that keep local admin accounts dangerous. The other is letting end users run as local administrators on their own machines. It feels convenient, and it hands malware, ransomware, and malicious browser extensions elevated privileges the moment a user clicks the wrong thing.
MSPs often work around the first problem by storing per-device passwords in a documentation tool like IT Glue. That helps, but we would argue letting Microsoft manage these passwords is the better and more secure option. The tool for the job is Microsoft's Local Administrator Password Solution, and as of October 2025 it is built into Windows and Intune.

What does Windows LAPS actually do?
LAPS is a built-in capability of Windows and Microsoft Intune that manages local administrator passwords across your devices automatically. Think of it as a password manager for endpoints, run through Intune and Entra ID (formerly Azure AD) instead of a browser extension.
With LAPS you can:
- Give every device a unique local admin password, managed securely.
- Rotate passwords automatically on a schedule, or immediately after the account is used.
- Store passwords in Entra ID so only authorized users can retrieve them.
It also lets you convert existing local administrator accounts into standard user accounts, which tightens posture without breaking anyone's day-to-day work.
Check these prerequisites before you build anything
Three things to confirm up front.
Licensing. You need Microsoft Entra ID Free or higher and a Microsoft Intune license. Microsoft 365 Business Premium is ideal because it includes both.
Device join state. Devices must be Entra joined or hybrid joined. Entra registered devices are not supported.
Windows version. Several newer capabilities, including automatic account management, require Windows 11 24H2 or later. Microsoft's overview is here: Use Windows Local Administrator Password Solution (LAPS) with Microsoft Entra ID (opens in new tab).
One tip that saves real troubleshooting time: read the LAPS CSP documentation (opens in new tab) before rollout. It lists each policy alongside the OS versions that support it, so you find out about version gaps before deployment instead of after.
Deploying LAPS through Intune in three steps
Step 1: Flip the tenant-level switch in Entra
- Go to Entra Admin Center → Devices → Device Settings.
- Set "Enable Microsoft Entra Local Administrator Password Solution (LAPS)" to Yes.
- While you are on that page, consider two related settings:
- "Add Global Admins as local admins" → No
- "Add users joining the device as local admins" → None
Those last two ensure users land as standard users, not local admins, during enrollment. That matters most when you provision through Windows Autopilot, where the join happens without a tech in the room.

Step 2: Build the LAPS policy in Intune
- Open Intune Admin Center → Endpoint Security → Account Protection.
- Click + Create Policy.
- Platform: Windows 10 and later.
- Profile: Local Administrator Password Solution (LAPS).
Name the policy something you will recognize in six months, like "LAPS – Standard Devices", then configure the settings. Our recommendations:
| Setting | Recommendation |
|---|---|
| Backup Directory | Entra ID (securely stores the password) |
| Password Age (days) | 30 or less |
| Password Complexity | Uppercase, lowercase, numbers, and special characters |
| Password Length | 21 characters |
| Post Authentication Action | Reset password and log off managed account |
| Delay Before Reset | 1 hour |
| Automatic Account Management | Enable |
| Account Prefix | e.g. "CC-Labs" or your organization name |
With automatic account management enabled, this policy creates and manages a unique local admin account on each device for you, scheduled rotations included. No script, no manual account creation.
Step 3: Assign to a pilot group and deploy
Assign the policy to a device group. Start with a test group, such as your Windows Autopilot devices, rather than the whole fleet. Click Create to deploy.
How do you confirm LAPS is working?
On a target machine, open Local Users and Groups. You should see a new admin account, something like CC-Labs-1234, created and managed by LAPS.
Then verify the server side. In the Intune Admin Center, go to Devices → [Device Name] → Local admin password. You will see:
- The account name
- The current password, hidden until an authorized admin reveals it
- The last and next password rotation dates
Need a rotation outside the schedule? Open the device's three-dot menu and choose Rotate local admin password. Useful after a tech session, an offboarding, or anything that makes you doubt who has seen the current password.


The bigger picture
LAPS gives you a scalable, cloud-native answer to a problem that manual rotation and shared passwords never solved. Combine it with standard user permissions for end users and you have closed the two most common local admin gaps in one project. We consider it a foundational control for modern endpoint security, not an optional extra.
Frequently asked questions
Where does LAPS store the password and who can read it?
With the backup directory set to Entra ID, each device's current password is stored in Entra and surfaced in the Intune admin center under the device's Local admin password blade. Only authorized admins can reveal it, and you can rotate it on demand from the device's menu.
Is LAPS better than keeping local admin passwords in a documentation tool?
We think so. A documentation platform like IT Glue stores the password, but it cannot rotate it after every use, enforce complexity, or prove rotation happened. LAPS does all three automatically and removes the human copy-paste step entirely.
What licensing does LAPS for Intune require?
Microsoft Entra ID Free or higher plus a Microsoft Intune license. Microsoft 365 Business Premium covers both, which makes it the natural fit for most MSP-managed tenants.
Is LAPS actually on in every tenant you manage?
CloudCapsule checks local admin protections alongside 250+ other Microsoft 365 controls in about 60 seconds per tenant, then keeps watching for the quiet drift that turns a passed control into a failed one.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


