Alex - stock.adobe.com

Tip

How to create a local admin account with Microsoft Intune

Local admin accounts can cause problems for Windows administrators due to their lack of oversight and privileged account status. Learn how IT can manage these accounts with Intune.

The local administrator account is a part of Windows accounts that is automatically created upon installation, and this privileged login can create challenges for IT administrators.

Unlike a domain admin account, the local administrator account lacks the permissions to manage the Active Directory environment or any other network resources. But it does provide elevated privileges for the local PC, which can be dangerous if IT doesn't plan for this account.

If cybercriminals manage to gain access to the local administrator account of a device, they can completely compromise the PC. They could access private data, alter settings to loosen security measures and even install malware on the device.

What is more problematic, however, is that many organizations use the same local administrator password on every PC. This means that anyone who figures out the local administrator password can gain full access to every PC in the organization. There could even be administrators who use the same password for both the local administrator accounts and for the domain administrator.

There is a way to reduce the risks associated with local administrator passwords. Microsoft offers a feature called the Local Administrator Password Solution -- more commonly known as Windows LAPS. Windows LAPS is a standard Windows Server feature, but it is also available in Entra ID -- formerly known as Azure AD.

As a Windows desktop administrator, Windows LAPS allows you to assign a random local administrator password to each Windows PC and to automatically rotate the password on a scheduled basis. First, you need to ensure that Intune is set up for device management.

Enable Windows LAPS

To get started, open the Entra admin center -- formerly the Azure AD admin center -- and click Identity > Devices > All Devices. This should display a list of all the devices that are in use within the organization (Figure 1).

The interface for the Intune dashboard of managed devices with associated device data.
The Intune Devices dashboard showing the inventory of all managed devices.

Next, click on Device Settings. Here, you need to set the option to enable Microsoft Entra Local Administrator Password Solution (LAPS) to Yes (Figure 2).

The device setting section of the Intune Devices tab showing Microsoft Entra configuration options.
Figure 2. The device settings for Microsoft Entra registration to ensure that Windows LAPS can function properly.

Enable the local administrator password

The next step is to enable the use of a local administrator password, which you can do within the Intune Admin Center. Depending on what location you are launching the Intune Admin Center from, it may be listed as the Endpoint Manager rather than the Intune Admin Center.

When the Intune Admin Center opens, select the Devices tab and then click on Configuration Profiles. Next, click on the Create button and select the New Policy option. When you do, Intune will ask you to select a platform and a profile type. Set the platform to Windows 10 and Later and set the profile type to Settings Catalog.

Click Create to create the profile. At this point, Intune launches the Create Profile wizard. Assign a name and an optional description to the profile that you are creating.

Click Next to be taken to the Configuration Settings screen. Here, click the Add Settings link. When prompted, select Local Policies Security Options and then select the Accounts Enabled Administrator Account Status checkbox.

Although it may seem a bit odd, the next step in the process is to click the Next button and then click the Previous button. This takes you right back to the Configuration Settings screen. The reason for doing this is because it forces Intune to reveal the option to enable the policy setting that you have selected. All you need to do is set the Accounts Enable Administrator Account Status setting to Enable (Figure 3).

The Accounts Enable Administrator Account Status toggle set to enable, which is required for Windows LAPS.
Figure 3. The enabled category that allows for the local admin account status to connect to Windows LAPS.

Click Next to see the Scope Tags screen. Select any tags you want to apply and click Next.

This brings up the Assignments screen. On this screen, select any groups for which the policy should apply. You can specify certain user and device groups. There is also an Exclude Groups option, but if you choose to exclude any groups you cannot use both user and device groups. You have to use one or the other.

Click Next to taken to a summary screen. Take a moment to verify that the settings within the summary are correct and then click the Create button.

Create a LAPS policy

Now that we have enabled the local administrator password on Windows devices, it's time to create a LAPS policy. To do so, select the Endpoint Security tab and then click on Account Protection, followed by Create Policy. Once again, you must set the Platform to Windows 10 and Later. The Profile, however, should be set to Local Admin Password Solution (Windows LAPS). Click the Create button to continue.

Intune will launch the Create Profile Wizard. As before, enter a name and description for the profile you are creating and click Next.

This brings up the Configuration Settings screen. This screen allows you to control the various attributes associated with the local admin password. You need to configure these settings based on your organization's own policies. However, here are my recommended settings (Figure 4):

  • Backup Directory: Back up Password to Azure AD Only.
  • Password Age Days: Not Configured -- this will set the maximum password age to 30 days.
  • Administrator Account Name: Administrator.
  • Password Complexity: Large Letters + Small Letters + Numbers + Special Characters.
  • Password Length: 20.
  • Post Authentication Actions: Reset Password Upon Expiry of the Grace Period. The Managed Account Password Will Be Reset.
  • Post Authentication Reset Delay: Not Configured.
The configuration settings for the local admin account on an Intune-enrolled Windows desktop.
Figure 4. The Intune profile creation section with some recommended security settings that will apply to the local admin account.

The remainder of this process is essentially the same as for the configuration profile you created earlier. You need to go through the remaining screens to set the scope tags and group assignments. When you arrive at the summary screen, take a moment to ensure that everything is correct and then click Create.

As devices register, you can acquire their local administrator passwords by clicking on Devices, All Devices, and then clicking on the local Administrator Password recovery link.

Brien Posey is a 15-time Microsoft MVP with two decades of IT experience. He has served as a lead network engineer for the U.S. Department of Defense and as a network administrator for some of the largest insurance companies in America.

Dig Deeper on Windows OS and management