4 Ways to Rotate Local Admin Password using Intune

A comprehensive guide covering multiple methods to rotate the managed local administrator password on Windows 10/11 devices when using Windows LAPS.

Rotate Local Admin Password using Intune

In this tutorial, we’ll cover different methods to rotate the local admin password using Intune on Windows 10/11 devices. Rotating the admin account password means changing or resetting the password of the managed local administrator account.

You can rotate the admin account passwords in Intune after you have set up the Windows LAPS policy for Windows devices. This can be done manually when required, or you can configure the admin password rotation schedule in the LAPS Policy.

In our previous article, we showed you the steps to implement LAPS with Intune. If you are new to LAPS and want to enable and configure it using Intune, this guide is the best way to get started.

Table of Contents

Why should you rotate the admin account passwords?

The primary goal of rotating the admin account password is to shorten the lifespan of the password, reducing vulnerability to password-based attacks and exploits.

Any organization that uses the administrator account to perform administrative tasks should consider changing the passwords regularly.

That’s why Windows LAPS is so secure and beneficial for organizations, helping rotate the passwords regularly and setting complex passwords for admin accounts.

While there is no fixed rule on how often you should rotate the password, most organizations change the admin passwords every 30–60 days. The periodic password rotation can minimize the window of opportunity for cybercriminals to take advantage of a Windows system, even if the administrator account password of the device is stolen or exposed at some point.

Ways to rotate the LAPS local admin password

Listed below are some methods that can be used to rotate the LAPS local admin password on Windows devices:

  • Manually rotate the admin password from Intune admin center
  • Use Reset-LapsPassword PowerShell cmdlet to reset the admin account password
  • Use OMA-URI Settings to rotate admin account password
  • Rotate the local admin password using Windows LAPS

Permissions required to rotate admin password

To use the Intune admin center to view or change a local admin account password on a Windows device, your account must be assigned the following Intune permissions:

  • Managed devices: Read (view Intune managed devices)
  • Organization: Read (view tenant settings such as device categories and Exchange Connectors)
  • Remote tasks: Rotate Local Admin Password

To view or rotate the administrator account password, your account must have one of the following Microsoft Entra permissions:

  • microsoft.directory/deviceLocalCredentials/password/read
  • microsoft.directory/deviceLocalCredentials/standard/read

You can create a custom role in Intune and Entra ID that can grant these permissions, which will be covered in the later section of this article.

Method 1: Rotate Local admin password using Intune admin center

Independent of the LAPS Policy’s set rotation schedule, you can rotate an admin password by using the device action “Rotate local admin password” in the Intune admin center.

Use the following steps to rotate the Windows LAPS admin password in the Intune admin center:

  • Sign in to the Microsoft Intune admin center.
  • Go to Devices > All devices, and select the Windows device with the account you want to rotate.
  • Click on the three dots on the top menu of options, and then select “Rotate local admin password.”
Rotate Local admin password using Intune admin center
Rotate Local admin password using Intune admin center

The following message is displayed when you initiate the rotate local admin password device action in the Intune admin center.

If you rotate the local admin password on this device, you’ll lose the old password used on the device. A single password will be generated to your identity provider (Microsoft Entra ID or Active Directory) after you restart the device. The password will expire automatically within the period specified in the policy. Rotate the password anyway?

Select ‘Yes‘ to proceed with local admin password rotation.

Manually Rotate Local admin password using Intune admin center
Manually Rotate Local admin password using Intune admin center

Shortly, a notification “Rotate local admin password initiated” appears in the top-right corner of the Intune admin center. That completes the procedure to manually initiate the admin account password rotation from Intune.

Note: When a password is rotated for an account on demand, the time to the next scheduled password rotation is reset. The time to the next scheduled rotation is managed through the PasswordAgeDays setting in the LAPS policy.

Monitor Account Password Rotation in Intune

After you initiate the admin account password rotation for a Windows device in Intune, the device details pane displays the banner “Rotate local admin password pending.” This means the admin password is being rotated for the selected Windows device. On the other hand, the device action status indicates the action is pending.

After you confirm the intent to rotate the password, Intune initiates the process, which can take a few minutes to complete. At this point, you don’t have to restart the device because it’s not required. During our testing, it took approximately 8 minutes to successfully rotate the admin account password.

If the Windows device displays Rotate local admin password pending status for a long time, make sure the remote device is online and is receiving the Intune policies. If the device isn’t online at the time of the request, it results in a failure. To troubleshoot further, perform a manual sync of the device from the Intune admin center.

Rotate local admin password pending
Rotate local admin password pending

If a Windows device displays the status “Rotate local admin password: Completed,” it means the admin password has been rotated successfully. Both scheduled and manual password rotation attempts result in an audit event.

Rotate Local admin password complete
Rotate Local admin password complete

Method 2: Rotate the Local Admin password using the Windows LAPS

If you want to avoid manually rotating the local admin password from Intune, you can configure the Windows LAPS policy to automatically rotate the admin password. Note that this method doesn’t allow you to rotate the passwords immediately.

The value that you specify for the Password Age Days setting in the LAPS policy determines how quickly the administrator account password is rotated. This value is also used to automatically update the managed local administrator password on Windows devices.

Sign in to the Microsoft Intune admin center and go to Endpoint Security > Account Protection. If you wish to create a new LAPS policy to rotate the local admin password, choose Create Policy. To edit the existing LAPS policy, select the Windows LAPS policy and edit the configuration settings.

Here, look for the setting named “Password Age Days.” This setting allows you to configure the maximum password age of the managed local administrator account. This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory and 7 days when backing the password to Azure AD.

So, if you are backing up the admin password to on-prem AD, you can set the value to 1. This will automatically rotate the local admin password every day or once every 24 hours.

Rotate the Local Admin password using LAPS Policy
Rotate the Local Admin password using LAPS Policy

Method 3: Rotate the Local Admin Password using OMA-URI Settings

Using OMA-URI settings in Intune, you can immediately reset the managed local administrator password when using Windows LAPS. You can use the “Actions/ResetPassword” OMA-URI setting in Windows LAPS CSP to configure the password rotation behavior of the managed local administrator account.

Use the below OMA-URI setting in Intune to tell the CSP to immediately generate and store a new password for the managed local administrator account. This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.

./Device/Vendor/MSFT/LAPS/Actions/ResetPassword

The below screenshot illustrates the Actions/ResetPassword OMA-URI setting that can be configured to reset the local admin password. It also shows the Windows editions and versions that are compatible with these settings.

Rotate Local Admin Password using OMA-URI
Rotate Local Admin Password using OMA-URI Settings

Method 4: Reset the Local admin password using PowerShell

The Reset-LapsPassword cmdlet lets you reset the password of the managed Intune local administrator account. This is one of the PowerShell cmdlets for LAPS provided by Microsoft.

The Reset-LapsPassword cmdlet tells LAPS to immediately rotate the password for the currently managed local account. This operation is performed regardless of the state of the current password; for example, it doesn’t matter whether the current password is considered expired or not.

Let’s look at the steps for resetting the password of the managed local administrator account using PowerShell.

  • Sign in to the Windows device whose local admin account password needs a reset.
  • Click Start, type “PowerShell” in the search, and launch the Windows PowerShell.
  • Enter the command Reset-LapsPassword and press enter.
Reset the Local admin password using PowerShell
Reset the Local admin password using PowerShell

After running the above PS command, the local admin account password on the Windows device is reset. To verify if the admin account password is reset, launch the event viewer by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view LAPS-related events.

Application and Services Logs: Microsoft-Windows-LAPS/Operational

The ‘Operational‘ section within the LAPS folder logs events related to LAPS. Since you’ll find plenty of events here, you can use the option to filter the current log with event ID 10014 to find out the LAPS settings applied via Intune.

The event ID 10014 shows the LAPS is updating the managed account password due to an administrator-initiated request. This confirms that you can use the Reset-LapsPassword cmdlet to immediately reset the managed local admin account password.

Reset the Local admin password using PowerShell
Reset the Local admin password using PowerShell

How do I verify if the Local Admin Password is rotated?

There are many ways to verify if the local admin password has been successfully rotated in Intune. We will now go through some of these methods.

1. Intune Admin Center

After you perform the password rotation of an account in Intune, you can verify the new password using these steps:

  • Sign in to the Microsoft Intune admin center.
  • Go to Devices > Windows.
  • Click on the Windows device you want to verify the local administrator password for and select Local admin password.
  • Click Show local administrator password.
Verify if the Local Admin Password is rotated
Verify if the Local Admin Password is rotated in Intune Admin Center

2. Event Viewer

If you have locally reset the admin account password using the Reset-LapsPassword PowerShell cmdlet, you can verify it via the event viewer.

Launch the Event Viewer on the Windows device whose local admin password was reset recently. Go to Application and Services Logs: Microsoft-Windows-LAPS/Operational. Look for the event ID 10014 shows the LAPS is updating the managed account password due to an administrator-initiated request.

Use Event Viewer to verify if the Local Admin Password is rotated
Use Event Viewer to verify if the Local Admin Password is rotated

Create a Custom Role to Rotate Local Admin Password in Intune

If you have an IT team that supports users across the globe, you want to assign permissions to your IT team to rotate the local admin password when required. Not everyone should have the authority to manually rotate the admin account password.

To facilitate this, Microsoft has come up with role based access controls for LAPS. Using the RBAC LAPS, you can create a custom role both in Intune and Entra ID that grants permissions to users to view or rotate a local admin account password on a Windows device.

To view or rotate a local admin account password on a Windows device, your account must be assigned the following Intune permissions:

  • Managed devices: Read
  • Organization: Read
  • Remote tasks: Rotate Local Admin Password

Let’s create a custom role in the Intune admin center to grant users permissions to view or rotate the managed local admin password.

Sign in to the Intune admin center. Go to Tenant Administration > Roles. To create a custom role, click on Create and select Intune Role.

Create a Custom Role to Rotate Local Admin Password in Intune
Create a Custom Role to Rotate Local Admin Password in Intune

On the Basics tab of the Add Custom Role, specify the name and description. Click Next.

Create a Custom Role to Rotate Local Admin Password in Intune
Create a Custom Role to Rotate Local Admin Password in Intune

On the Permissions tab, select the following categories in order and configure the following settings.

Expand the Managed Devices category and set the Read Permission to Yes. This allows the user to view Intune managed devices.

Rotate Local Administrator Password Intune permission
Rotate Local Administrator Password Intune permission

Expand the Organization category and set the Read permission to Yes. This allows the user to view tenant settings such as device categories and Exchange connectors.

Rotate Local Administrator Password Intune permission
Rotate Local Administrator Password Intune permission

Expand the Remote Tasks category and set the Rotate Local Admin Password permission to Yes. This grants the user permission to initiate a manual rotation for the local admin password on the device.

Remote tasks: Rotate Local Admin Password
Remote tasks: Rotate Local Admin Password

Click Next and complete the creation of the custom role. Select All Roles and here you should find the custom role that you created above. Select the custom role, and under the Manage section, choose Assignments. Click on +Assign and add the user groups to whom you want to assign the permissions to rotate the local admin password.

Assign Custom Role to Intune Users
Assign Custom Role to Intune Users

Create a Custom Role in Entra ID to Rotate Local Admin Password

Let’s create a new custom role in Microsoft Entra ID and assign users permissions to rotate local admin passwords remotely.

  • Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  • Browse to Identity > Roles & admins > Roles & admins.
  • Select ‘New custom role.’
Create a Custom Role to Rotate Local Admin Password in Entra ID
Create a Custom Role to Rotate Local Admin Password in Entra ID

On the Basics tab, provide a name and description for the role, and then click Next.

https://34ba678ff4f2ebeb814ad88804302240.safeframe.googlesyndication.com/safeframe/1-0-40/html/container.html
Specify Custom Role Name and Description
Specify Custom Role Name and Description

On the Permissions tab, add the following permissions necessary to view or rotate the LAPS admin account password:

  • microsoft.directory/deviceLocalCredentials/password/read – Grants the permissions to read LAPS metadata and passwords.
  • microsoft.directory/deviceLocalCredentials/standard/read – Grants the permissions to read LAPS metadata excluding passwords.
https://34ba678ff4f2ebeb814ad88804302240.safeframe.googlesyndication.com/safeframe/1-0-40/html/container.html

Click Next.

Add Permissions to Reset Local Administrator Account Password
Add Permissions to Reset Local Administrator Account Password

On the Review + create tab, review the permissions and select Create. Your custom role will show up in the list of available roles to assign.

Create a Custom Role to Rotate Local Admin Password in Entra ID
Create a Custom Role to Rotate Local Admin Password in Entra ID

This is the last step, where you assign the custom role to the User groups. Select the Rotate local admin password custom role and click +Add assignments. Select the user group to assign them this role and complete the wizard.

Entra ID Custom Role Assignments
Entra ID Custom Role Assignments
https://34ba678ff4f2ebeb814ad88804302240.safeframe.googlesyndication.com/safeframe/1-0-40/html/container.html

Conclusion

In this article, we discussed multiple methods to rotate the managed local administrator account passwords on Windows devices using Intune. We also covered the procedure to create a custom role in Microsoft Intune and Entra ID to facilitate the password rotation of the admin account.

If you have already implemented the LAPS policy via Intune, make sure you rotate the administrator account passwords regularly. If you need further help, please let us know in the comments section.

Read Next

Sign Up For Newsletter

Join our newsletter to stay updated and receive all the top articles published on the site! Get the latest articles delivered straight to your inbox.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *