Managing Local Admin Access in Intune: Account Protection and LAPS

 Local admin access is often overlooked, but it’s one of the biggest gaps in endpoint security.

With Microsoft Intune and Microsoft Entra, you can now enforce least privilege, deploy secure admin accounts, and manage passwords using Windows LAPS — all without needing third-party tools.

In this guide, we’ll cover:

  • Why managing local admin access matters
  • What tools you have in Intune
  • How to set up Windows LAPS in Intune
  • What to watch out for before rolling it out

Why Managing Local Admin Access Matters

Uncontrolled local admin access can lead to:

  • Privilege escalation
  • Circumvention of compliance policies
  • Hard-to-audit changes or persistence threats

Good practice means:

  • Admin access is controlled
  • Admin passwords are unique per device
  • All access is audited and revocable

Option 1: Assign Admin Access with Account Protection Profile

To predefine who has local admin rights:

Steps:

  1. Go to Intune Admin Center > Endpoint security > Account protection
  2. Create a policy for Windows 10 and later
  3. Under Account Protection, add Entra ID users or groups to the “Administrators” group
  4. Assign to device groups

Use this to:

  • Add IT staff to admin group
  • Ensure users don’t get admin unless intended

Article content

Option 2: Enforce Unique Admin Passwords Using Windows LAPS

What Is Windows LAPS?

Windows LAPS (Local Administrator Password Solution) automatically creates and manages a unique, random local admin password per device, securely backed up to Entra ID.

Before You Implement LAPS – Key Considerations:

Devices must be:

  • Running Windows 10 20H2+ or Windows 11
  • Entra-joined or hybrid-joined
  • Managed by Intune
  • Enrolled in Endpoint Security

Decide on:

  • Whether to manage the default Administrator account or create a custom one
  • Who will have read permissions to recovery passwords (this is critical, see RBAC in Entra)

Test on a small pilot group before organization-wide rollout

How to Set Up Windows LAPS via Intune

Step 1: Go to Intune Admin Center > Endpoint security > Account protection

Step 2: Click + Create Policy

  • Platform: Windows 10 and later
  • Profile type: Windows LAPS

Step 3: Configure the following settings:

Article content

Step 4: Assign to a test device group and monitor results.

Article content

How to Retrieve LAPS Passwords (Admins Only)

  1. Go to Microsoft Entra Admin Center
  2. Navigate to Devices > [Device name]
  3. Click on Local administrator password
  4. You’ll see:

Only users with proper Entra ID roles (like Global Admin or custom roles with delegated device permissions) will see the password.

Option 3: Remove Admin Rights from Users

By default, Autopilot-enrolled Entra-joined devices make the first user a local admin. You can prevent that by:

  • Going to Devices > Enroll devices > Deployment profiles
  • Edit your Autopilot profile
  • Set User account type to Standard user

Now users will be enrolled without elevated privileges.

Article content

Best Practices for Local Admin Management

  • Use LAPS for every endpoint
  • Rotate passwords at least every 30 days
  • Remove users from local admin unless absolutely necessary
  • Log who accesses passwords and why
  • Avoid static passwords or hardcoded accounts in scripts

Between LAPS, Account Protection profiles, and Autopilot controls, Microsoft Intune gives you the tools to lock down local admin access while still empowering IT.

Done right, you reduce risk, avoid credential reuse, and ensure every admin action is controlled and auditable.

Next Up:

Comments

Post a Comment

Popular posts from this blog

4 Most common Issues while registering devices with Microsoft Intune MDM

Image
  The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports. During implementation or deployment, there are some common issues which occur in many of the environment  1-   Windows Update Sometimes you will notice that Windows Update is showing-Up-To-Date but in actual, the version needed for the MDM Registration is not updating automatically and eventually fails every time in the loop Solution Suggested Go to this  link  upgrade your Windows 10 to the latest version You will find a home page like the screenshot below. Click on UPDATE Now button. It will download a .exe file. Run the file and click on UPDATE Now button and press YES. Here it will update your Windows 10 to the Latest Version Note:  You can still work during downloading a...
Read more

Managing Windows Updates with Intune: Best Practices with Update Rings

Image
  Keeping Windows devices up to date is one of the most critical, and often most overlooked, aspects of endpoint security. With Microsoft Intune, you can manage Windows updates centrally using Update Rings , giving you control over when updates install, how users experience restarts, and how you test updates before broad deployment. In this guide, I’ll walk you through: What update rings are Why they’re essential for patch compliance How to configure them in Intune Best practices for rollout and user experience 1. What Are Windows Update Rings in Intune? Update rings in Intune allow you to: Define when and how Windows updates are delivered Set deadlines for installation and restarts Delay feature updates (e.g., to test before production) Control user experience during updates They apply to Windows 10 and 11 devices enrolled in Intune, including those provisioned via Autopilot. 2. Why Update Management Matters Without structured update management, you risk: Devices missing crit...
Read more

The Intune Device Lifecycle: From Onboarding to Retirement (Best Practices)

  Managing endpoints isn’t just about deployment, it’s about handling the entire device lifecycle : from onboarding and day-to-day management to secure deprovisioning when a device is no longer in use. Microsoft Intune provides a streamlined, policy-driven approach to each phase of this lifecycle, and when done right, it reduces IT overhead, increases security, and improves the user experience. In this post, I’ll walk you through the key stages of managing a device in Intune from start to finish, and how to handle each one effectively. Stage 1: Provisioning & Onboarding This is where the device journey begins, and it sets the tone for everything that follows. Tools and features to use: Windows Autopilot for zero-touch setup Enrollment Status Page (ESP) to control setup sequence Dynamic groups to assign configurations automatically Baseline security policies (compliance, Defender, encryption) Goal: Make the first experience smooth, secure, and consistent for every user. Sta...
Read more