✅ Summary
This Intune configuration profile applies Windows LAPS (Local Administrator Password Solution) settings across all devices. It enforces:
Azure AD backup
15‑day password rotation
Complex, enhanced‑readability password mode
Minimum 14‑character password length
All these settings directly support Essential Eight – Restrict Administrative Privileges, especially the requirement to prevent password reuse, ensure unique local admin passwords, and securely store and rotate them.
🔍 Breakdown of Each Setting
1. Password Backup Directory
Setting:
device_vendor_msft_laps_policies_backupdirectory = AAD
This is represented as:
value: device_vendor_msft_laps_policies_backupdirectory_1
➡ This means passwords are stored in Azure AD, not locally.
✔ Correct for cloud‑native LAPS deployments
✔ Enables secure key‑backed password retrieval
✔ Integrates with Entra role‑based access controls and auditing
Password Age
Under the backup directory, you have:
device_vendor_msft_laps_policies_passwordagedays_aad = 15
➡ Passwords rotate every 15 days.
✔ Perfect alignment with ACSC Essential Eight
✔ Meets and exceeds typical LAPS recommendations (30–60 days)
✔ Reduces lateral movement risk from stale local admin credentials
2. Password Complexity
Setting:
device_vendor_msft_laps_policies_passwordcomplexity = 5
This corresponds to:
➡ "Large letters + small letters + numbers + special characters (improved readability)"
This is LAPS’s strongest complexity mode and avoids ambiguous characters such as:
Ovs0Ivsl
✔ High entropy
✔ Human-readable for break-glass scenarios
✔ Removes ambiguity that can cause operational issues
3. Password Length
Setting:
device_vendor_msft_laps_policies_passwordlength = 14
➡ Enforces a minimum 14‑character local admin password.
✔ Meets ACSC E8 Maturity Level 3 password guidance
✔ Ensures strong entropy across the entire fleet
✔ Works well with the enhanced complexity mode
🎯 Assignment
The policy is applied to:
All devices
This is correct and expected — every endpoint should receive LAPS to remove all duplicated local administrator passwords across your fleet.
Role Scope Tag: 3
✔ Standard segmentation for administrative RBAC
🧩 Essential Eight Alignment
Essential Eight Requirement | Alignment | Notes |
Enforce unique local admin passwords | ✔ Fully met | Azure AD LAPS stores per‑device values |
Rotate credentials regularly | ✔ 15‑day rotation | Stronger than baseline recommendations |
Restrict lateral movement via admin passwords | ✔ Yes | Passwords never reused between devices |
Protect admin credentials in secure directory | ✔ Azure AD storage | Secure, audited, role‑controlled |
Implement privileged access protections (M2/M3) | ✔ Achieved | This is one of the strongest controls |
This policy directly supports the E8 requirement to eliminate shared local admin passwords and implement secure credential storage and rotation.