Enabling Local Administrator Password Solution (LAPS) in Entra ID [CHK-1169]
This check determines if Entra ID supports the Local Administrator Password Solution (LAPS) in Windows, which ensures unique local administrator passwords across all systems.
Rationale
If an attacker gains access to a Windows computer, they can potentially take over other systems using the same passwords. Using identical administrator passwords across all devices makes it easier for attackers to gain control. Enabling LAPS mitigates this risk.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to the Entra ID portal at https://entra.microsoft.com
- Go to Identity > Devices > Overview > Device Settings
- Enable Local Administrator Password
- Configure additional LAPS settings as needed (password complexity, rotation frequency)
- Click "Save"
- Configure devices to store passwords in Azure AD via Intune or GPO
Impact
Enabling LAPS in Entra ID improves security by automatically managing and rotating local administrator passwords. LAPS will still need to be enabled on the endpoints itself.