Mike Shellenberger's blog

Navigating the Digital Frontier: End-User Tech Insights

(Multi-part) How to Guide: Migrate from Microsoft LAPS (legacy) to Windows LAPS in a Hybrid Environment – Cloud-Managed Client Deployment (Part 4)

Windows LAPS policy for Microsoft Intune managed clients

If we look at the previous visual representation of my test devices, we are focused only on the devices outlined in red here:

The last step in our hybrid enterprise migration to Windows LAPS is to apply a Windows LAPS policy to the endpoints that are managed solely by Microsoft Intune. We will start by creating an endpoint security/account protection profile in Intune.

Creating Windows LAPS Policies in Intune

  1. From the Microsoft Intune admin console, navigate to Endpoint Security > Account Protection. Then click Create Policy.
  2. Select the Windows 10 and later platform, and the Local admin password solution (Windows LAPS) profile. Click Create.
  3. Assign a profile Name and Description as desired. Click Next.
  4. From the configuration settings page, drop-down the backup directory option Backup the password to Azure AD only. The rest of the options can be set to not defined, in my case, as the defaults meet my environments requirements. If you have requirements beyond the defaults, be sure to specify those here.

5. Leave the scope tags and assignments blank for now. Click Next through each.

7. Review your new policy configuration, then click Create.

Assigning Windows LAPS Policies in Intune

My preferred method for targeting assignment of the Windows LAPS policy to Intune managed clients is to use an existing security group in Azure AD that already contains all Windows devices from my tenant, then use filters to only apply the policy to organization owned, Azure AD joined/Hybrid Joined devices. Using filters helps cut down on the number of security groups you would otherwise need in Azure AD for granular targeting of objects.

To create a dynamic Azure AD Security group that contains all Windows devices as members:

  • Create a new group in Azure AD:
    • Group Type: Security
    • Group Name: All Windows Devices
    • Membership Type: Dynamic Device
    • Dynamic membership rule syntax: (device.deviceOSType -eq “Windows”)

To create a filter in Microsoft Intune for Azure AD Joined Windows devices:

  • In the Microsoft Intune Admin console, click on Tenant Administration, then Filters.
  • Create a new filter for Managed devices.
  • Give the filter a name like Azure AD Joined/Hybrid Joined Windows Devices and ensure the Platform is set to Windows 10 and later.
  • Use the rule builder or provide the following rule syntax to filter: (device.deviceTrustType -eq “Azure AD joined”) or (device.deviceTrustType -eq “Hybrid Azure AD joined”). Click Next, then Create.

Now that the appropriate groups and filters exist, navigate to the Windows LAPS policy that was previously created and assign to the Azure AD joined/Hybrid-joined devices:

  • From the Microsoft Intune Admin Center, navigate to Endpoint Security, then Account Protection.
  • Select the Windows LAPS policy previously created, then click Edit Assignments.
  • Under Included Groups, select Add Groups, then choose the All Windows Devices security group.
  • Click the Edit Filter link on group assignment.
  • Select the Include filtered devices in assignment then select the Azure AD Joined/Hybrid Windows Devices filter created previously.
  • Click Review + Save to finalize the assignment of the Windows LAPS policy to the Azure AD joined/Hybrid-Joined Windows endpoints.

Use one of the previously addressed methods for monitoring the deployment of Windows LAPS to the Intune managed endpoints.

That brings us to the end of our Windows LAPS migration journey! I hope this series has been helpful. Please leave post feedback with any questions, concerns or comments!

Are you finding the content on my site particularly helpful? Please consider donating to help me offset the costs of maintaining this site. Your support is greatly appreciated!

Buy Me A Coffee

Published by

Mike Shellenberger
With over 20 years of experience in implementing and supporting technical solutions, I am passionate about leveraging Microsoft technologies and devices to make a tangible impact on end users. My expertise spans a wide range of Microsoft products, including Windows clients, Intune, Microsoft 365, Windows 365, and Configuration Manager. I have a proven track record in designing, deploying, and managing complex IT infrastructures, ensuring seamless integration and optimal performance. I am dedicated to the digital workspace technology community, where I actively contribute and continuously learn to stay at the forefront of industry advancements. My technical skills also encompass identity/authentication technologies, endpoint security, and cloud computing, enabling me to deliver comprehensive solutions that enhance user productivity and satisfaction. Outside of my professional life, I am an avid homebrewer, amateur radio enthusiast, beekeeper and runner. I enjoy balancing my technical pursuits with these hobbies, which keep me grounded and inspired. I reside in the Lancaster, PA area with my wife and two kids, where we cherish our community and the opportunities it provides.

Leave a comment