LAPS password not found

Question

LAPS password not found

Ayanda John Ramncwana 25

Hi team I work with Intune/Entra ID for the first time, now am faces with an issue where some of the hybrid devices have lost their LAPS password on Entra, we can no longer find a backup, what do I need to do for these devices to have the laps again without rebuilding the machines

Ayanda John Ramncwana 25 Reputation points

2026-05-09T12:11:37.1866667+00:00

The devices are still hybrid joined and the laps policy from Intune is enabled but these specific devices are do not have it, how do i manually initiate the password rotation for these devices
Ayanda John Ramncwana 25 Reputation points

2026-05-09T12:13:46.75+00:00

How do i verify the laps gpo that is set for the hybrid devices
Shubham Sharma 16,550 Reputation points Microsoft External Staff Moderator

2026-05-11T09:16:27.1433333+00:00
Hey Ayanda—sounds like those hybrid-joined machines dropped off the Windows LAPS backup in Entra and you want to get them back without rebuilding. Here’s what you can try:

Verify the LAPS policy is actually landing on the device

Since these are hybrid-joined, you’re using a Group Policy for LAPS. On the problematic machine, run: • gpupdate /force • gpresult /h %userprofile%\gpresult.html (or launch rsop.msc)

Open that report and look under Computer Configuration → Administrative Templates → Windows Components → LAPS. You should see your “Enable local admin password management” setting plus the encryption principal and password parameters you configured.

Check the Windows LAPS operational log

On the client, open Event Viewer → Applications and Services Logs → Microsoft → Windows → LAPS → Operational.

A successful rotation cycle starts with Event ID 10003 and ends with 10004. If you see errors (10005, 10017, 10025, etc.), those will point at schema issues, connectivity to AD/Azure, or permission problems.

Manually trigger a rotation/sync

In the Intune admin center (Microsoft Endpoint Manager) go to Devices → All devices → select the device → click “Sync.” That forces the MDM CSP (including the LAPS CSP) down again.

If you’re also using the Intune action “Retrieve local admin password” (under Device actions), kicking that off will pull the current password from the client and—if none exists—trigger the next rotation.

On a pure GPO-managed machine you can only rely on “gpupdate /force” + waiting for the hourly LAPS cycle, but the event log will tell you exactly when it ran.

Verify rotation in Entra ID

After you see 10003/10004 in the client event log, head to the Azure AD portal → Devices → All devices → pick your device → under “Local admin password,” you should see a timestamp for last rotation.

Or use the Windows LAPS PowerShell module/Microsoft Graph: Connect-MgGraph –TenantId <your-tenant> –ClientId <your-app> Get-LapsAADPassword –DeviceIds <deviceName> –Verbose

Hope that gets those machines back into LAPS without a rebuild!

—Reference docs—

Troubleshoot Windows LAPS events and common errors https://learn.microsoft.com/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance

Windows LAPS CSP settings (used by Intune) https://learn.microsoft.com/windows/client-management/mdm/laps-csp

Hybrid-join support and GPO for Windows LAPS https://learn.microsoft.com/entra/identity/devices/howto-manage-local-admin-passwords#windows-laps-group-policy

Get-LapsAADPassword (PowerShell)/Graph integration https://learn.microsoft.com/windows-server/identity/laps/laps-scenarios-azure-active-directory#retrieve-a-password-from-microsoft-entra-id

1 answer

Your answer

Ayanda John Ramncwana 25 Reputation points

2026-05-09T12:11:37.1866667+00:00

The devices are still hybrid joined and the laps policy from Intune is enabled but these specific devices are do not have it, how do i manually initiate the password rotation for these devices
Ayanda John Ramncwana 25 Reputation points

2026-05-09T12:13:46.75+00:00

How do i verify the laps gpo that is set for the hybrid devices

Answer 1

When the LAPS password backup is missing from Microsoft Entra ID, the existing password value cannot be recovered. For any device whose LAPS credential is no longer present in Entra, the path forward is to ensure LAPS is correctly enabled and then allow or force LAPS to generate and back up a new password.

Key points from the platform behavior:

If the device object was deleted in Entra
- When a device is deleted in Microsoft Entra, the LAPS credential tied to that device is permanently lost and there is no method in Entra ID to recover that password unless it was exported and stored externally beforehand.
- To use LAPS again on that machine, it must appear as a new device object (for example, by rejoining/hybrid-joining it) and then receive a valid LAPS policy so a new password can be generated and backed up.
If the device still exists but the password is not visible
- Verify that Windows LAPS is enabled in Entra ID and that the devices are configured to back up to Entra:
  - In the Microsoft Entra admin center, under Identity > Devices > Device settings, ensure Enable Local Administrator Password Solution (LAPS) is set to Yes.
  - On the client side, confirm that the LAPS policy BackUpDirectory is set to Microsoft Entra ID (for hybrid-joined devices, backup can be to either Entra ID or AD, but not both).
- If Intune is used, confirm that an Intune LAPS policy is assigned to those hybrid devices and that it is configured to back up the password to the intended directory (Entra or AD). Intune’s CSP-based LAPS policy overrides other LAPS sources.
- Once policy is correctly applied and the device is in an enabled state in Entra, LAPS will rotate and back up the local admin password according to the configured schedule. A manual rotation can also be triggered from the Intune admin center if the device is reachable and compliant with policy.
No rebuild required if local access is still possible
- If there is still a way to sign in locally (for example, with a domain account that has local admin rights or with the current local admin password that is just not backed up), then:
  - Ensure the device is properly hybrid-joined and visible as enabled in Entra.
  - Ensure LAPS is enabled in Entra and that a correct Intune/GPO LAPS policy is applied.
  - After policy application, allow LAPS to rotate and back up the password or trigger a manual rotation from Intune. This will create a new LAPS password entry in Entra for that device.
When local admin access is completely lost
- If there is no working local or domain admin credential to sign in to the device and the LAPS password backup is gone, there is no supported way in Entra/LAPS to recover the old password. At that point, regaining control typically requires OS-level recovery or rebuild of the machine.

In summary: missing LAPS passwords in Entra cannot be recovered. To “have LAPS again” on those hybrid devices without rebuilding, ensure the devices are enabled and reachable, LAPS is enabled in Entra, and a valid Intune or GPO LAPS policy is applied so that LAPS can rotate and back up a new password for each device.

References:

Share via

LAPS password not found

1 answer

Your answer