85.1 (L1) Ensure 'Backup Directory' is set to 'Backup the password to Azure AD only'

Information

This policy setting configures which directory Windows LAPS will use to back up the local admin account password.

The recommended state for this setting is: Backup the password to Azure AD only

Note: Organizations that utilize third-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations.

- Windows LAPS does not support standalone computers - they must be joined to an Active Directory domain or Entra ID (formerly Azure Active Directory).
- Windows LAPS does not support simultaneous storage of the local admin password in both directory types.
- If the setting is configured and the managed device is not joined to the configured directory type, the local administrator password will not be managed by Windows LAPS.

Important: An organization wishing to use Active Directory to backup the LAPS password may make an exception for this recommendation. To implement Active Directory backup see the latest on-premises CIS Benchmark for Windows 10/11. When backing up with Active Directory there are 2 additional security controls to be considered in the benchmark which are not available when using Azure AD for backup. These were excluded from the Intune benchmark as they cannot be selected unless Active Directory is selected as the backup location.

Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

Solution

To establish the recommended configuration from Microsoft Intune Admin Center:

- Navigate to Endpoint security > Account protection
- Create or edit a LAPS policy of the type Local admin password solution (Windows LAPS)
- Set Backup Directory to Backup the password to Azure AD only

Impact:

The passwords managed by Windows LAPS will only be retrievable from the configured directory type.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-9

Plugin: Windows

Control ID: 120fa1263cbf5f8a286956475fc823df198c350d59e63fe773da571b6d4974a5