Intune LAPS
Unique, rotating local admin passwords on every Windows device. Backed up to Entra ID. No more shared secret that opens every laptop.
One Local Admin Password on Every Device Is Always on Every Device
On most mid-market Windows devices, the local administrator password is the same. It was set during imaging five years ago. It is written in a password manager. It is shared with the helpdesk. One phished credential, one stolen laptop, and an attacker has the key to every other device — classic lateral movement.
This is not a failure of your IT team. The old Microsoft LAPS needed on-prem AD, GPO, a schema extension, and careful maintenance. Windows LAPS changed that: it is built into Windows 11 and Windows 10 22H2, managed via Intune, and backs up to Entra ID. The license is already yours. What is missing: the policy design, the migration from legacy LAPS or static passwords, and the operational runbook.
Traditional consulting for LAPS? Five figures. The consultant configures, leaves a document, leaves. Your helpdesk is back to sharing a password next time somebody new joins.
ACTIVITIES IN DETAIL
DELIVERABLES
Verify prerequisites: Intune Plan 1, Entra ID Free, Windows 11 22H2+ or Windows 10 22H2 with KB5025221
Enable Windows LAPS in Entra ID tenant settings (Entra admin center → Devices → Device settings)
Inventory current local admin state: static passwords, legacy Microsoft LAPS, GPO-based LAPS, unmanaged devices
Design Intune LAPS policy: target account (built-in RID or named account), password complexity, length (14–64 chars), rotation schedule (30–90 days)
Choose backup directory: Entra ID (recommended for cloud or hybrid-joined), on-premises AD (domain-joined only)
Role-based access control: which Intune admins can read and rotate passwords — Endpoint Security Manager role
Deploy to pilot device group (10–20 devices), validate backup in Intune admin center, test manual rotation
Staged rollout by device group — wave by wave, with compliance monitoring
Decommission legacy LAPS: GPO removal, legacy MS LAPS uninstall, password vault cleanup
Helpdesk runbook: retrieving a current password, manual rotation, troubleshooting backup failures
Verify prerequisites: Intune Plan 1, Entra ID Free, Windows 11 22H2+ or Windows 10 22H2 with KB5025221
Enable Windows LAPS in Entra ID tenant settings (Entra admin center → Devices → Device settings)
Inventory current local admin state: static passwords, legacy Microsoft LAPS, GPO-based LAPS, unmanaged devices
Design Intune LAPS policy: target account (built-in RID or named account), password complexity, length (14–64 chars), rotation schedule (30–90 days)
Choose backup directory: Entra ID (recommended for cloud or hybrid-joined), on-premises AD (domain-joined only)
Role-based access control: which Intune admins can read and rotate passwords — Endpoint Security Manager role
Deploy to pilot device group (10–20 devices), validate backup in Intune admin center, test manual rotation
Staged rollout by device group — wave by wave, with compliance monitoring
Decommission legacy LAPS: GPO removal, legacy MS LAPS uninstall, password vault cleanup
Helpdesk runbook: retrieving a current password, manual rotation, troubleshooting backup failures
Intune LAPS Policy: Configured and assigned per device group — password complexity, rotation, backup target
Entra ID Configuration: Local Administrator Password Solution enabled at tenant level
Legacy LAPS Decommission: GPO removed, legacy agent uninstalled, static passwords rotated and retired
RBAC Model: Defined roles for password retrieval and rotation, aligned with your helpdesk structure
Pilot Validation Report: End-to-end test on 10–20 devices with backup verification and manual rotation
Helpdesk Runbook: Password retrieval, manual rotation, backup troubleshooting
Complete Project Documentation: All configuration decisions documented without gaps
3 steps. From start to finished project
How a typical Microsoft project runs with DAMALO
STEP 1
Choose a blueprint and analyze your environment
Select a proven blueprint. AI agents pull your licenses, current config, and compliance needs into the plan. No generic advice.
STEP 2
Receive your plan and start implementation
Review the plan. AI agents draft architecture, sequence tasks, and map dependencies to Microsoft best practices. Tailored to your tenant.
STEP 3
Guided implementation through to completion
Execute step by step. AI agents provide PowerShell scripts, admin center deep-links, and walkthroughs. Every change auto-documented.
The result: A completed Microsoft project in 1-2 weeks. Documented. Audit-ready. Understood by your team. Adjustable at any time. No change requests. No follow-up engagements.
Next steps after Intune LAPS
A cleanly configured tenant is the foundation. These blueprints build directly on it
