Back to GSO Recommendations

Windows LAPS Configuration: Local Administrator Password Reuse Risk

Why this risk matters

Local Administrator Password Solution (LAPS) automatically manages and rotates the local administrator account password on Windows devices, storing the password securely in Entra ID or Active Directory. Without LAPS, local administrator passwords on managed devices are typically set once during deployment and never changed — often to the same value across every device in the fleet.

This creates a critical lateral movement risk. If an attacker compromises one device and recovers the local admin password (through credential dumping, configuration file inspection, or helpdesk records), they can use that same password to authenticate as a local admin on every other device in the organisation. This is a standard technique in ransomware deployment, where attackers compromise one device, extract the shared local admin credential, and then propagate across the entire estate before triggering the encryption payload.

LAPS eliminates this by ensuring every device has a unique, automatically rotated local admin password. Compromising one device's local admin credential gives no advantage on any other device.

What happens if this is abused

  • Attacker compromises one device, extracts the local admin password, and uses it to authenticate to every other device in the estate via the network
  • Pass-the-hash attacks using the local admin NTLM hash allow lateral movement without even knowing the plaintext password
  • Ransomware operators use shared local admin credentials to propagate encryption payloads across the entire organisation in a matter of hours
  • Helpdesk scripts or deployment tools that embed the local admin password in plaintext are a common source of credential exposure
  • Stale local admin passwords that haven't been changed in years are prime targets for discovery via old backups, configuration files, or former employees

When this is expected or acceptable

LAPS is appropriate for virtually all managed Windows devices. Some considerations:

  • Shared workstations where IT staff need to know the local admin password for remote support may need a workflow to retrieve the current password from Entra ID before each use — this is supported natively in Windows LAPS
  • Azure AD joined devices managed through Intune support Windows LAPS natively; hybrid joined or on-premises domain joined devices may require the legacy LAPS agent or Windows LAPS with Active Directory
  • Accounts used for Autopilot or build processes may need to be handled separately during the LAPS rollout

Checks to perform before taking action

  • In Intune, check whether a LAPS policy is deployed (Endpoint security > Account protection > Windows LAPS)
  • Confirm that Entra ID is enabled as the backup directory for LAPS passwords (Entra ID > Devices > Device settings > Enable Windows LAPS)
  • Check the local admin account name configured on devices — LAPS needs to target the correct account
  • Identify who currently has access to retrieve LAPS passwords in Entra ID and confirm this is restricted to appropriate IT staff
  • Assess whether any helpdesk scripts or documentation contain hardcoded local admin credentials that should be replaced with LAPS-retrieved passwords

Safe remediation steps

  1. Enable Windows LAPS in Entra ID: Entra ID > Devices > Device settings > Enable Windows LAPS (toggle to Yes)
  2. Create a LAPS policy in Intune (Endpoint security > Account protection > Create policy > Windows > Local admin password solution)
  3. Configure: password age (recommended: 7–30 days), password complexity, and backup directory (Entra ID for cloud-managed devices)
  4. Assign to your managed Windows device group
  5. Monitor policy deployment status in Intune and confirm passwords are appearing in Entra ID device records for enrolled devices
  6. Train IT staff on how to retrieve LAPS passwords from Entra ID or the Intune portal for remote support sessions
  7. Update any helpdesk runbooks or deployment scripts that reference the old shared local admin credential

Supporting documentation

Microsoft: Windows LAPS overview and Intune integration

Microsoft: Manage local administrator passwords with Windows LAPS and Entra ID

Microsoft: Windows Local Administrator Password Solution

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Windows Local Admin Control — LAPS manages the password of the local admin account; the companion control restricts which accounts have local admin rights in the first place
  • Devices Overview — review device management coverage alongside LAPS deployment to confirm all endpoints are enrolled and receiving policies
  • Windows Defender Protection — LAPS reduces lateral movement risk; Defender controls reduce the risk of the initial endpoint compromise that enables credential harvesting
  • Open Defender Incidents — if LAPS is being deployed in response to an active incident, prioritise devices involved in the incident first
TBD CTA