The local administrator password appears to be still expire even thought the new Windows LAPS has been enabled

Woody Chiu at RASI 216 Reputation points
2023-09-20T17:13:15.89+00:00

We enabled Windows LAPS on our Azure tenant for around 142 Windows 11 Business Azure AD-Joined machines. They appear to be working fine initially. But encountered some issues in these few days. Let me explain.

Here is what we did. First of all, we used an Intune PS script to create an extra local admin account with a name for all the machines (Note: This task is the requirement specified in the explanation of one of the Windows LAPS configurations. Not me created!). Regardless, the account was created without any password policy set (all checkboxes were left unchecked).

User's image

Secondly, we created a Windows LAPS policy in Intune.

User's image

with respective configurations.

User's image

Today, we encountered a message on one of the Windows sign-on screens saying "The password has expired. Please change the password...." or something like that.

So, does the password expiry completely rely on new Windows LAPS now, or does it still depend on the local account's password expiry settings to notify users about the password expiry?

For any local account created without specifying any options like the first image provided above, will the system default settings of password policy continue to apply even though the new Windows LAPS has been enabled for the machine? I think the local system default expiry is 60 or 90 days. Is that correct?

Here is the thing. If the system defaults for the local password policy continues to apply even with the new Windows LAPS enabled with the machine, who will take precedence or both will take effect?

That is something we are confused. For the local admin account managed by the new Windows LAPS, we don't it to expire. We only want Windows LAPS to automatically rotate the password as it doing now.

Please advise what we should do. If the local system defaults still have an effect on its expiry, should I just set them all with "Password never expires"? By doing that, will it affect the new Windows LAPS not being able to rotate the password accordingly?

Please advise.

Appreciated.

WC

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,461 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,981 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Simon Ren-MSFT 33,606 Reputation points Microsoft Vendor
    2023-09-21T07:58:49.0433333+00:00

    Hi,

    Thank you for posting in Microsoft Q&A forum.

    The order of precedence is Itune MDM > GPO > Local > Legacy LAPS. Intune policies manage LAPS by using the Windows LAPS configuration service provider (CSP). Windows LAPS CSP configurations take precedence over, and overwrite, any existing configurations from other LAPS sources, like GPOs or the Legacy Microsoft LAPS tool.

    For more information, please refer to:

    Manage Windows LAPS policy with Microsoft Intune

    Announcing Windows LAPS management through Microsoft Intune

    Thanks for your time. Have a nice day!

    Best regards,

    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.