Test-MtIntuneLAPSConfiguration
SYNOPSIS
Ensure at least one Intune LAPS policy is configured to back up local admin passwords to Entra ID.
SYNTAX
Test-MtIntuneLAPSConfiguration [-ProgressAction <ActionPreference>] [<CommonParameters>]
DESCRIPTION
Checks Intune Endpoint Security Account Protection policies (configurationPolicies API) for Windows LAPS profiles that back up local administrator passwords to Microsoft Entra ID (Azure AD).
Windows LAPS (Local Administrator Password Solution) automatically rotates and backs up local admin passwords, preventing lateral movement attacks that exploit shared or stale local admin credentials.
Pass criteria (all required on at least one LAPS policy):
- BackupDirectory = 1 (Entra ID) to store passwords in the cloud.
- PasswordComplexity >= 4 (large + small letters + numbers + special characters; values 4 or 8 are accepted).
- PasswordLength >= 14 characters.
- PostAuthenticationActions configured to a non-zero value (reset password, optionally logoff/reboot/terminate).
AutomaticAccountManagementEnabled is reported for completeness but does not affect pass/fail.
The test passes if at least one LAPS policy meets all four criteria above.
EXAMPLES
EXAMPLE 1
Test-MtIntuneLAPSConfiguration
Returns true if at least one LAPS policy meets the secure baseline (Entra ID backup, complexity >= 4, length >= 14, post-auth action configured).
PARAMETERS
-ProgressAction
{{ Fill ProgressAction Description }}
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
INPUTS
OUTPUTS
System.Boolean
NOTES
RELATED LINKS
https://maester.dev/docs/commands/Test-MtIntuneLAPSConfiguration