🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 1
Domain 1 — Module 7 of 7 100%
7 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 1: Prepare Infrastructure for Devices Premium ⏱ ~11 min read

Windows LAPS & Local Group Management

Local admin accounts are a goldmine for attackers. Windows LAPS rotates their passwords automatically, and Intune can control who belongs to local groups — all from the cloud.

Why do local admin accounts matter?

☕ Simple explanation

Every Windows PC has a built-in local admin account — it’s like a master key hidden under the doormat.

If every device in your company uses the same local admin password (which is terrifyingly common), an attacker who discovers it on one machine can use it on ALL of them. That’s called a lateral movement attack — hopping from device to device using the same stolen credential.

Windows LAPS fixes this by giving each device a unique, randomly generated local admin password that changes automatically. The passwords are stored safely in Entra ID (or on-prem AD), and only authorised admins can view them.

Windows Local Administrator Password Solution (LAPS) is a built-in Windows feature that automatically manages the password of the local administrator account. It generates unique, random passwords for each device and stores them in Microsoft Entra ID (cloud) or on-premises Active Directory.

LAPS eliminates the security risk of shared local admin passwords across devices, preventing lateral movement and pass-the-hash attacks. It’s configured via Intune (for cloud-managed devices) or Group Policy (for on-prem AD devices).

How Windows LAPS works

Sam at Tui Solutions is rolling out LAPS across 500 devices. Here’s the flow:

  1. Admin configures LAPS via Intune (endpoint security policy or device configuration profile)
  2. LAPS generates a unique, random password for the local admin account on each device
  3. Password is stored in Microsoft Entra ID (attached to the device object)
  4. Password rotates automatically based on the configured schedule (e.g., every 30 days)
  5. Authorised admins can view the current password in the Intune admin center or Entra admin center
  6. After use, the password can be manually rotated immediately for security

Configuration options

SettingOptionsSam’s Choice
Backup directoryEntra ID (cloud) or on-prem ADEntra ID (cloud-native)
Password age1-365 days30 days
Administrator account nameDefault (built-in Administrator) or customDefault
Password complexityLetters + numbers, letters + numbers + symbols, etc.Large letters + small letters + numbers + special characters
Password length8-64 characters14 characters
Post-authentication actionsReset password, reset password + logoff, reset password + rebootReset password + logoff
💡 Exam tip: where are LAPS passwords stored?

The exam tests this: LAPS passwords are stored as a property of the device object in Microsoft Entra ID (for cloud-managed devices) or as a confidential attribute on the computer object in on-premises Active Directory.

For Entra ID-backed LAPS:

  • View passwords in Intune admin center → Devices → select device → Local admin password
  • View passwords in Entra admin center → Devices → select device → Local administrator password recovery
  • Requires the Cloud Device Administrator or Intune Administrator role

The password is never stored in plain text on the device itself. The device encrypts it before sending it to Entra ID.

LAPS vs Legacy LAPS

FeatureWindows LAPS (built-in)Legacy LAPS (separate download)
InstallationBuilt into Windows 10/11 (April 2023 update+)Separate MSI download + GPO extension
Password storageEntra ID or on-prem ADOn-prem AD only
ManagementIntune or GPOGPO only
EncryptionPassword encrypted in transit and at restPassword stored as clear text in AD (older versions)
Cloud supportYes (Entra ID)No
Password historyYes (viewable in Entra/Intune)No
Post-auth actionsAutomatic password rotation after useManual rotation only

Key exam concept: Windows LAPS (the built-in version) replaces Legacy LAPS. For cloud-managed devices, passwords back up to Entra ID. For on-prem devices, they back up to AD. The exam focuses on the built-in version with Entra ID backup.

Managing local group membership with Intune

Beyond LAPS, Intune can control who belongs to local groups on Windows devices. This is critical because the local Administrators group gives full control of the device.

Why it matters

By default, the user who Entra-joins a device is added to the local Administrators group. In many organisations, standard users shouldn’t have local admin rights (least privilege principle). Intune’s Account Protection or Device Configuration policies let you:

  • Add specific Entra users or groups to local groups
  • Remove users from local groups
  • Replace the entire local group membership

Configuration methods

MethodWhereHow
Account Protection policyIntune → Endpoint security → Account protectionCreate a “Local user group membership” policy
Device configuration profileIntune → Devices → Configuration → Settings catalogSearch for “Local Policies Security Options”
Custom OMA-URIIntune → Devices → Configuration → Custom profileUse the Policy CSP LocalUsersAndGroups

Common scenarios

ScenarioConfiguration
Remove all non-admin users from local Administrators groupReplace membership: add only IT admin group
Add helpdesk team to local Administrators on all devicesAdd Entra group “Helpdesk” to local Administrators
Standard users should not be local adminsRemove user from local Administrators; add to local Users
Specific group of developers need local admin on their dev machinesCreate a targeted policy: add “Developers” Entra group to local Administrators, target only dev device group
ℹ️ Deep dive: local group management + EPM

Managing local groups and Endpoint Privilege Management (EPM) work together:

  • Local group management removes users from the Administrators group → they’re now standard users
  • EPM (covered in Module 14) lets those standard users elevate specific apps when needed — without giving them permanent admin rights

This is the Zero Trust approach to local admin: remove standing admin access, then provide just-in-time elevation for specific tasks. Chen Wei at Meridian Bank uses both: standard users everywhere, EPM for approved apps that need admin rights.

🎬 Video walkthrough

🎬 Video coming soon

Windows LAPS & Local Group Management — MD-102 Module 7

Windows LAPS & Local Group Management — MD-102 Module 7

~11 min

Flashcards

Question

What is Windows LAPS and why is it important?

Click or press Enter to reveal answer

Answer

Windows LAPS automatically generates unique, random passwords for the local admin account on each device, storing them securely in Entra ID or on-prem AD. It prevents lateral movement attacks caused by shared local admin passwords across multiple devices.

Click to flip back
Question

Where are Windows LAPS passwords stored for cloud-managed devices?

Click or press Enter to reveal answer

Answer

In Microsoft Entra ID, as a property of the device object. Authorised admins can view them in the Intune admin center (Devices → select device → Local admin password) or Entra admin center.

Click to flip back
Question

How does Intune manage local group membership on Windows devices?

Click or press Enter to reveal answer

Answer

Through Account Protection policies (endpoint security) or device configuration profiles. Admins can add, remove, or replace members of local groups like Administrators. This lets you remove standard users from the local Administrators group and enforce least privilege.

Click to flip back
Question

What's the difference between Windows LAPS and Legacy LAPS?

Click or press Enter to reveal answer

Answer

Windows LAPS is built into Windows 10/11, supports Entra ID password backup, Intune management, and password encryption. Legacy LAPS requires a separate download, only backs up to on-prem AD, and uses GPO. The built-in version replaces Legacy LAPS.

Click to flip back

Knowledge Check

Knowledge Check

Sam discovers that all 500 devices at Tui Solutions use the same local admin password: 'TuiAdmin2024!'. An attacker who compromises one device could access all of them. What's the best solution?
Knowledge Check

Chen Wei wants standard users at Meridian Bank to NOT have local admin rights on their devices. Currently, users who Entra-join their devices are automatically added to the local Administrators group. How should Chen Wei fix this?

Next up: Windows Autopilot: Choose Your Path — understanding the three Autopilot deployment modes and when to use each one.

← Previous

Compliance Policies & Conditional Access

Next →

Windows Autopilot: Choose Your Path

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.