SureMDM LAPS
SureMDM LAPS (Local Administrator Password Solution)
Overview
SureMDM Local Administrator Password Solution (LAPS) is a feature that enhances security by automating the management of local administrator passwords on Windows devices. SureMDM LAPS ensures that each device has a unique, automatically rotating administrator password, reducing the risk of unauthorized access.
To configure SureMDM LAPS:
- Log in to the SureMDM console.
- Navigate to Jobs > New Job > Windows > SureMDM LAPS.
- Configure the following settings and click Save.
SureMDM LAPS Configuration Options
| Option | Description |
|---|---|
| Enable SureMDM LAPS | Enable this option to configure LAPS. To disable LAPS configuration from devices, disable this option and deploy the job to the device(s). |
| Username | Enter the username without spaces. Use the + button to add multiple usernames if needed. |
| Create Above Accounts If Not Present on Device | Select this option to automatically create the listed accounts if they are not already present on the device. |
| Include Default Built-in Administrator Account | Select this option to include the default built-in administrator account. The SID of the default admin account will be used, and the user will be considered even if the account is renamed. |
| Password Rotation Frequency | Select the frequency for automatic password rotation in days. Choose Set Frequency to specify a value (1 to 365 days), or select Never to disable or stop automatic rotation of passwords. |
| Rotate Password Upon Use | Select this option to automatically rotate the password after each use. Note: This setting triggers password rotation in the event of a successful login to the device with the current password. |
| Password Complexity and Length | Select the desired complexity level and length for the generated password. Complexity Levels: Simple (numbers and letters) Medium (upper and lower case, numbers) Complex (upper, lower case, numbers, special characters) Length: Ranges from 8 to 64 in increments of 4. |
| Password Complexity and Length | Select the desired complexity level and length for the generated password. Complexity Levels: Simple (numbers and letters) Medium (upper and lower case, numbers) Complex (upper, lower case, numbers, special characters) Length: Ranges from 8 to 64 in increments of 4. |
| Rotate Password Upon Use | Select this option to automatically rotate the password after each use. |
| Rotate password only when device is online | When enabled, the password is rotated only when the device is connected to SureMDM. If disabled, the password is rotated even when the device is offline, and the updated password will be displayed on the console when the device is back online next time. |
note
- Ensure that the SureMDM Agent version on Windows devices is 6.07.0 or later.
- To view the current password, use the SureMDM LAPS Dynamic Job.
- Once a user account is removed from the SureMDM LAPS job, its password rotation will no longer be managed by SureMDM LAPS. Use the User Account Management > Change User Password job to reset the password for such accounts. To view the password rotation history for these accounts, refer to the SureMDM LAPS Report.
- When using the Password Policy payload in profiles, ensure that the password length set in LAPS aligns with the one configured in the Password Policy. A shorter password length in the LAPS job compared to the Password Policy may lead to password rotation failures.
- When deploying LAPS using SureMDM, ensure that no other sources, such as Active Directory or third-party tools, are enabling or managing LAPS to prevent conflicts.
- Once done, click Save to save the changes. The newly created job will be listed in the Jobs List section.
- Click Apply to launch the Apply Job/Profile To Device prompt.
- In the Apply Job/Profile To Device prompt, select the job and click Apply.