Windows Local Administrator Password solution (LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra-joined or Windows Server Active Directory-joined devices.
 

Additional Information from Microsoft

Create Intune policies to configure and manage Windows LAPS | Microsoft Learn

Requirements

• Devices are Entra joined and presented to Intune for management. The LAPS credentials are stored in Entra.
• Devices are added to the security groups or subgroups scoped for the respective administrative units (AU).
  • OUName-All Devices or subgroup member
• Organizational Unit (OU) admins are scoped to the LAPS role for their specific AU. Which occurs through group membership.
  • OUName_Operators

Process

1. Login to Intune admin portal.
2. Navigate to Endpoint Security.
3. Choose Account Protection.
4. Either update an existing policy to enforce LAPS and target the group of your choosing or create a new policy to target your OU's devices. This should be the only area where you set a LAPS policy to ensure you don't have conflicting policies applied to your devices.
   • Policy Config Options
     • Name: OUName LAPS Profile
     • Backup Directory: "Backup the password to Azure AD only"
     • Password Age Days: Your choice
     • Administrator Account Name: Your choice, example: ouname_admin
     • Password Complexity: Your choice
     • Password Length: Your choice
     • Post Authentication Actions: Your choice
     • Post Authentication Reset Delay: Your choice
     • Automatic Account Management Enabled: Your choice
5. Once the policy is scoped to your OU’s devices, it will be applied when a device checks in to Intune.

Note: OU admins with the LAPS role will be able to view the admin password in Entra or Intune.