Overview
The Devicie LAPS Baseline (Local Administrator Password Solution (LAPS)) provides configuration to ensure local administrator accounts are secured, with best practice recommendations.
Intune Description:
LAPS best practices.
Scope:
This baseline should be applied to Windows devices.
Policy Impact Areas:
When deployed, this policy will impact:
-
Enforcing LAPS
Deployment Notes
-
Pre-Deployment Considerations:
-
LAPS must be enabled/prepared manually to the tenant. Refer to Devicie Tenant Preparation article for further information.
-
-
Post-Deployment Validation:
-
Verify LAPS configuration, with password length (15 character) requirements
-
Known Issues and Resolutions
-
Issue 1: Enabling LAPS on the tenant prior to configuration deployment
-
Resolution: Follow Devicie knowledgebase article on guidance to ensure tenant is correctly prepared.
-
Configuration Settings
|
Name |
Value |
|
Backup Directory |
Backup the password to Azure AD only |
|
Password Age Days |
30 |
|
Password Complexity |
Large letters + small letters + numbers + special characters (improved readability) |
|
Password Length |
15 |
|
Post Authentication Actions |
Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
|
Post Authentication Reset Delay |
4 |
|
Devicie Template Name |
LAPS |
|
Default Intune Deployed Name |
DEVICIE-PROD-LAPS |
|
Version |
1.0 |
|
Template Last Updated |
Nov 18, 2024 |
|
Document Status: |
DRAFT |
|
Document Last Updated: |
Apr 10, 2025 |