A comprehensive guide covering multiple methods to rotate the managed local administrator password on Windows 10/11 devices when using Windows LAPS.
In this tutorial, we’ll cover different methods to rotate the local admin password using Intune on Windows 10/11 devices. Rotating the admin account password means changing or resetting the password of the managed local administrator account.
You can rotate the admin account passwords in Intune after you have set up the Windows LAPS policy for Windows devices. This can be done manually when required, or you can configure the admin password rotation schedule in the LAPS Policy.
In our previous article, we showed you the steps to implement LAPS with Intune. If you are new to LAPS and want to enable and configure it using Intune, this guide is the best way to get started.
Table of Contents
Why should you rotate the admin account passwords?
The primary goal of rotating the admin account password is to shorten the lifespan of the password, reducing vulnerability to password-based attacks and exploits.
Any organization that uses the administrator account to perform administrative tasks should consider changing the passwords regularly.
That’s why Windows LAPS is so secure and beneficial for organizations, helping rotate the passwords regularly and setting complex passwords for admin accounts.
While there is no fixed rule on how often you should rotate the password, most organizations change the admin passwords every 30–60 days. The periodic password rotation can minimize the window of opportunity for cybercriminals to take advantage of a Windows system, even if the administrator account password of the device is stolen or exposed at some point.
Ways to rotate the LAPS local admin password
Listed below are some methods that can be used to rotate the LAPS local admin password on Windows devices:
- Manually rotate the admin password from Intune admin center
- Use Reset-LapsPassword PowerShell cmdlet to reset the admin account password
- Use OMA-URI Settings to rotate admin account password
- Rotate the local admin password using Windows LAPS
Permissions required to rotate admin password
To use the Intune admin center to view or change a local admin account password on a Windows device, your account must be assigned the following Intune permissions:
- Managed devices: Read (view Intune managed devices)
- Organization: Read (view tenant settings such as device categories and Exchange Connectors)
- Remote tasks: Rotate Local Admin Password
To view or rotate the administrator account password, your account must have one of the following Microsoft Entra permissions:
- microsoft.directory/deviceLocalCredentials/password/read
- microsoft.directory/deviceLocalCredentials/standard/read
You can create a custom role in Intune and Entra ID that can grant these permissions, which will be covered in the later section of this article.
Method 1: Rotate Local admin password using Intune admin center
Independent of the LAPS Policy’s set rotation schedule, you can rotate an admin password by using the device action “Rotate local admin password” in the Intune admin center.
Use the following steps to rotate the Windows LAPS admin password in the Intune admin center:
- Sign in to the Microsoft Intune admin center.
- Go to Devices > All devices, and select the Windows device with the account you want to rotate.
- Click on the three dots on the top menu of options, and then select “Rotate local admin password.”
The following message is displayed when you initiate the rotate local admin password device action in the Intune admin center.
If you rotate the local admin password on this device, you’ll lose the old password used on the device. A single password will be generated to your identity provider (Microsoft Entra ID or Active Directory) after you restart the device. The password will expire automatically within the period specified in the policy. Rotate the password anyway?
Select ‘Yes‘ to proceed with local admin password rotation.
Shortly, a notification “Rotate local admin password initiated” appears in the top-right corner of the Intune admin center. That completes the procedure to manually initiate the admin account password rotation from Intune.
Note: When a password is rotated for an account on demand, the time to the next scheduled password rotation is reset. The time to the next scheduled rotation is managed through the PasswordAgeDays setting in the LAPS policy.
Monitor Account Password Rotation in Intune
After you initiate the admin account password rotation for a Windows device in Intune, the device details pane displays the banner “Rotate local admin password pending.” This means the admin password is being rotated for the selected Windows device. On the other hand, the device action status indicates the action is pending.
After you confirm the intent to rotate the password, Intune initiates the process, which can take a few minutes to complete. At this point, you don’t have to restart the device because it’s not required. During our testing, it took approximately 8 minutes to successfully rotate the admin account password.
If the Windows device displays Rotate local admin password pending status for a long time, make sure the remote device is online and is receiving the Intune policies. If the device isn’t online at the time of the request, it results in a failure. To troubleshoot further, perform a manual sync of the device from the Intune admin center.
If a Windows device displays the status “Rotate local admin password: Completed,” it means the admin password has been rotated successfully. Both scheduled and manual password rotation attempts result in an audit event.
Method 2: Rotate the Local Admin password using the Windows LAPS
If you want to avoid manually rotating the local admin password from Intune, you can configure the Windows LAPS policy to automatically rotate the admin password. Note that this method doesn’t allow you to rotate the passwords immediately.
The value that you specify for the Password Age Days setting in the LAPS policy determines how quickly the administrator account password is rotated. This value is also used to automatically update the managed local administrator password on Windows devices.
Sign in to the Microsoft Intune admin center and go to Endpoint Security > Account Protection. If you wish to create a new LAPS policy to rotate the local admin password, choose Create Policy. To edit the existing LAPS policy, select the Windows LAPS policy and edit the configuration settings.
Here, look for the setting named “Password Age Days.” This setting allows you to configure the maximum password age of the managed local administrator account. This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory and 7 days when backing the password to Azure AD.
So, if you are backing up the admin password to on-prem AD, you can set the value to 1. This will automatically rotate the local admin password every day or once every 24 hours.
Method 3: Rotate the Local Admin Password using OMA-URI Settings
Using OMA-URI settings in Intune, you can immediately reset the managed local administrator password when using Windows LAPS. You can use the “Actions/ResetPassword” OMA-URI setting in Windows LAPS CSP to configure the password rotation behavior of the managed local administrator account.
Use the below OMA-URI setting in Intune to tell the CSP to immediately generate and store a new password for the managed local administrator account. This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
./Device/Vendor/MSFT/LAPS/Actions/ResetPassword
The below screenshot illustrates the Actions/ResetPassword OMA-URI setting that can be configured to reset the local admin password. It also shows the Windows editions and versions that are compatible with these settings.
Method 4: Reset the Local admin password using PowerShell
The Reset-LapsPassword cmdlet lets you reset the password of the managed Intune local administrator account. This is one of the PowerShell cmdlets for LAPS provided by Microsoft.
The Reset-LapsPassword cmdlet tells LAPS to immediately rotate the password for the currently managed local account. This operation is performed regardless of the state of the current password; for example, it doesn’t matter whether the current password is considered expired or not.
Let’s look at the steps for resetting the password of the managed local administrator account using PowerShell.
- Sign in to the Windows device whose local admin account password needs a reset.
- Click Start, type “PowerShell” in the search, and launch the Windows PowerShell.
- Enter the command Reset-LapsPassword and press enter.
After running the above PS command, the local admin account password on the Windows device is reset. To verify if the admin account password is reset, launch the event viewer by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view LAPS-related events.
Application and Services Logs: Microsoft-Windows-LAPS/Operational
The ‘Operational‘ section within the LAPS folder logs events related to LAPS. Since you’ll find plenty of events here, you can use the option to filter the current log with event ID 10014 to find out the LAPS settings applied via Intune.
The event ID 10014 shows the LAPS is updating the managed account password due to an administrator-initiated request. This confirms that you can use the Reset-LapsPassword cmdlet to immediately reset the managed local admin account password.
How do I verify if the Local Admin Password is rotated?
There are many ways to verify if the local admin password has been successfully rotated in Intune. We will now go through some of these methods.
1. Intune Admin Center
After you perform the password rotation of an account in Intune, you can verify the new password using these steps:
- Sign in to the Microsoft Intune admin center.
- Go to Devices > Windows.
- Click on the Windows device you want to verify the local administrator password for and select Local admin password.
- Click Show local administrator password.
2. Event Viewer
If you have locally reset the admin account password using the Reset-LapsPassword PowerShell cmdlet, you can verify it via the event viewer.
Launch the Event Viewer on the Windows device whose local admin password was reset recently. Go to Application and Services Logs: Microsoft-Windows-LAPS/Operational. Look for the event ID 10014 shows the LAPS is updating the managed account password due to an administrator-initiated request.
Create a Custom Role to Rotate Local Admin Password in Intune
If you have an IT team that supports users across the globe, you want to assign permissions to your IT team to rotate the local admin password when required. Not everyone should have the authority to manually rotate the admin account password.
To facilitate this, Microsoft has come up with role based access controls for LAPS. Using the RBAC LAPS, you can create a custom role both in Intune and Entra ID that grants permissions to users to view or rotate a local admin account password on a Windows device.
To view or rotate a local admin account password on a Windows device, your account must be assigned the following Intune permissions:
- Managed devices: Read
- Organization: Read
- Remote tasks: Rotate Local Admin Password
Let’s create a custom role in the Intune admin center to grant users permissions to view or rotate the managed local admin password.
Sign in to the Intune admin center. Go to Tenant Administration > Roles. To create a custom role, click on Create and select Intune Role.
On the Basics tab of the Add Custom Role, specify the name and description. Click Next.
On the Permissions tab, select the following categories in order and configure the following settings.
Expand the Managed Devices category and set the Read Permission to Yes. This allows the user to view Intune managed devices.
Expand the Organization category and set the Read permission to Yes. This allows the user to view tenant settings such as device categories and Exchange connectors.
Expand the Remote Tasks category and set the Rotate Local Admin Password permission to Yes. This grants the user permission to initiate a manual rotation for the local admin password on the device.
Click Next and complete the creation of the custom role. Select All Roles and here you should find the custom role that you created above. Select the custom role, and under the Manage section, choose Assignments. Click on +Assign and add the user groups to whom you want to assign the permissions to rotate the local admin password.
Create a Custom Role in Entra ID to Rotate Local Admin Password
Let’s create a new custom role in Microsoft Entra ID and assign users permissions to rotate local admin passwords remotely.
- Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
- Browse to Identity > Roles & admins > Roles & admins.
- Select ‘New custom role.’
On the Basics tab, provide a name and description for the role, and then click Next.
On the Permissions tab, add the following permissions necessary to view or rotate the LAPS admin account password:
- microsoft.directory/deviceLocalCredentials/password/read – Grants the permissions to read LAPS metadata and passwords.
- microsoft.directory/deviceLocalCredentials/standard/read – Grants the permissions to read LAPS metadata excluding passwords.
Click Next.
On the Review + create tab, review the permissions and select Create. Your custom role will show up in the list of available roles to assign.
This is the last step, where you assign the custom role to the User groups. Select the Rotate local admin password custom role and click +Add assignments. Select the user group to assign them this role and complete the wizard.
Conclusion
In this article, we discussed multiple methods to rotate the managed local administrator account passwords on Windows devices using Intune. We also covered the procedure to create a custom role in Microsoft Intune and Entra ID to facilitate the password rotation of the admin account.
If you have already implemented the LAPS policy via Intune, make sure you rotate the administrator account passwords regularly. If you need further help, please let us know in the comments section.
Read Next
- Create a Local Admin Account using Intune
- Create a Local Admin Account on macOS using Intune
- Find Local Administrator Accounts with SCCM CMPivot Query
- Add User or Groups to Local Admin in Intune
- Enable/Disable built-in Administrator account using Intune
- Rename Built-in Administrator Account using Intune
Leave a Reply