MT.1177 - Ensure LAPS Configuration Policy is properly set
Overview
Ensure at least one Intune LAPS policy is configured to back up local admin passwords to Microsoft Entra ID.
Windows LAPS (Local Administrator Password Solution) automatically rotates and backs up local administrator passwords on managed devices. Without LAPS, local admin accounts often share the same password across all devices — if one device is compromised, an attacker can move laterally to every other device using the same credentials.
Key settings this test evaluates:
- Backup Directory: Must be set to Azure AD only (Entra ID) to store passwords in the cloud where they can be retrieved by authorized admins.
- Password Complexity: Must be
Large + small + numbers + special(_4) or improved (_8). - Password Length: Must be >= 14 characters.
- Post-Authentication Actions: Must be set to a defined action (
_1reset password /_3reset password + logoff /_5reset password + reboot /_11reset password + logoff + terminate processes) so the password rotates after use. - Automatic Account Management: Whether LAPS auto-manages the local admin account lifecycle (informational).
The test passes if at least one LAPS policy meets all of the criteria above (Entra backup AND complexity is _4 or _8 AND length >= 14 AND a defined post-auth action). The Intune Settings Catalog only exposes _1.._4 plus the newer _8 ("improved 4-class") choice for PasswordComplexity, so _4 and _8 are the only values that satisfy the 4-character-class requirement. A policy that only sets Backup Directory is no longer sufficient.
Remediation action:
- Navigate to Microsoft Intune admin center.
- Go to Endpoint security > Account protection.
- Click + Create policy.
- Set Platform to Windows 10 and later and Profile to Local admin password solution (Windows LAPS).
- Enter a policy name (e.g., "LAPS - Entra ID Backup").
- Configure the following settings:
- Backup Directory: Azure AD only
- Password Complexity: Large letters + small letters + numbers + special characters
- Password Length: 21 (or at least 14)
- Post-Authentication Actions: Reset password and logoff
- Post-Authentication Reset Delay: 1 hour
- Administrator Account Name: Leave default or specify custom account
- Assign the policy to your device groups and click Create.
Related links
- Microsoft Intune - Endpoint Security Account Protection
- Microsoft Learn - Windows LAPS with Microsoft Intune
- Microsoft Learn - Windows LAPS CSP reference
- CIS Benchmark - Ensure LAPS is configured for local admin accounts
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1177 |
| Severity | High |
| Suite | Maester |
| Category | Intune |
| PowerShell test | Test-MtIntuneLAPSConfiguration |
| Tags | Intune, Maester, MT.1177 |
Source
- Pester test:
tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1 - PowerShell source:
powershell/public/maester/intune/Test-MtIntuneLAPSConfiguration.ps1