HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutServicesQuick Links Subscribe free
← Back to Blog
Security LAPSIntuneGroup PolicyActive DirectoryPowerShellSecurity

Is Your LAPS Password Actually Rotating — Or Just Configured? Here's How to Tell the Difference

IA
Imran Awan
16 July 2026

Open your Intune Settings Catalog report right now. Filter to the LAPS profile. Every device shows Succeeded. Feels good, right? Now go check one of those devices in the Entra portal and look at the actual password expiration timestamp on the local Administrator account. There is a real chance it hasn't moved in weeks — maybe months. "Policy applied" and "password rotating" are not the same thing, and the gap between them is exactly where a departed contractor's old support-ticket password, or a screenshot buried in a stale runbook, quietly stays valid forever.

This post explains why that gap exists — specifically the conflict between the modern Intune/CSP delivery path for Windows LAPS and a leftover on-prem Group Policy configuration — how to manually spot-check a single device, and how to build a PowerShell audit that checks your entire fleet against Microsoft Graph and tells you, in plain colour-coded terms, which devices are actually rotating and which ones only look like they are.

Download the script — GitHub

Get-LAPSRotationCompliance.ps1 is free and open source. Download it from the Imran76Awan/Daily-Tasks repository on GitHub — no sign-in required.

Get-LAPSRotationCompliance.ps1 View full repo →

The problem — "configured" and "rotating" are two different states

Windows LAPS is the built-in, first-party successor to the old Microsoft LAPS download. Since Windows 11 and Windows Server 2019 (with later cumulative updates) it ships in-box, no separate MSI, no external CSE, no separate ADMX to hunt down on TechNet. It manages the password of a local account — usually the built-in Administrator, or a designated managed local account — and rotates that password on a schedule you define, backing the current value up to either Microsoft Entra ID (cloud-native) or on-prem Active Directory (hybrid).

That is the theory, and when it works it is genuinely excellent security hygiene: every device gets a unique, unpredictable local admin password, and that password changes automatically, which closes off an entire class of lateral-movement attacks where a single leaked local admin password gets reused across an entire estate.

Here is the problem. "The LAPS policy applied successfully" is a statement about policy delivery. It tells you the Settings Catalog profile reached the device and the CSP accepted the values. It says nothing about whether the underlying rotation actually executed. A device can sit in the following state for months without a single alert firing anywhere in the Intune or Entra portals:

This happens for one of three structural reasons, all of which we cover in detail below: a conflict between the modern Intune/CSP LAPS path and a leftover on-prem Group Policy LAPS configuration, a device that has quietly stopped checking in, or a policy application that silently failed without tripping any compliance flag. None of these show up as a red banner anywhere. The device just sits there, technically "managed," with a stale local admin password.

Why this actually matters: a local admin password captured once — through an old support ticket screenshot, a compromised backup, a departed contractor who had temporary elevated access, or a helpdesk chat log — stays valid indefinitely if rotation has quietly stopped. LAPS is only a security control for as long as the password keeps changing. The moment rotation stalls, you are back to a shared, static local admin credential across however many devices are affected, and nobody in the organisation knows it.

Why it happens — CSP vs. GPO, and the conflict nobody notices

Windows LAPS can be deployed to a device in two structurally different ways, and this is the part that trips up even experienced admins because both paths look completely valid in isolation.

Path 1 — Intune Settings Catalog / CSP (the modern, cloud-native path)

The recommended path for Intune-managed and hybrid Entra-joined devices is the Settings Catalog, which surfaces the Windows LAPS CSP under the policy area named simply LAPS (CSP name: Policy/LocalAdminPassword, with related nodes for rotation frequency, password complexity, password age, and account name). When you assign this policy, the device's LAPS client reads the CSP values through the MDM channel, rotates the password on schedule, and backs the resulting credential up to Microsoft Entra ID — or to on-prem Active Directory if the device is hybrid Azure AD joined and you've configured the backup directory accordingly.

Path 2 — Group Policy (the on-premises path)

The second path is Group Policy, under Computer Configuration › Policies › Administrative Templates › System › LAPS. This works because the Windows LAPS ADMX template ships in-box on Windows 11 22H2 and Server 2022 onward — you do not need to download or install anything extra, it is simply part of the built-in Group Policy Central Store templates. This is the correct on-prem path for domain-joined devices that are not Intune-managed, or for organisations mid-migration who still manage most policy through Group Policy.

Note: This in-box "LAPS" GPO path is a completely different thing from the old, deprecated Legacy Microsoft LAPS — the standalone download that shipped its own separate ADMX template and relied on a client-side extension DLL called AdmPwd.dll. If you still have that legacy CSE-based GPO lingering in an OU somewhere, it uses entirely different registry keys and a different attribute schema (ms-Mcs-AdmPwd rather than msLAPS-Password), and it is a separate migration project of its own. This post is about the modern in-box LAPS GPO and CSP paths conflicting with each other — not the legacy tool.

Both paths are individually well-documented and individually correct. The trouble starts when a device receives both at the same time — which happens more often than you'd expect, usually because a device was originally managed purely through Group Policy, then later Intune-enrolled as part of a hybrid or co-management rollout, and nobody went back to clean up the original GPO link.

Gotcha — CSP and GPO are mutually exclusive for LAPS: Windows LAPS does not merge or reconcile settings between the CSP and Group Policy delivery paths. Whichever one applies last, or whichever the Windows LAPS client evaluates as authoritative on that device, wins outright — and it silently overrides the other's rotation schedule, password length, and backup directory settings. There is no portal warning, no compliance flag, and no event log entry that says "conflicting LAPS policy detected." Troubleshooting which one actually controls a given device is genuinely confusing unless you know to check both places, which is exactly what the verification and audit sections below walk through.

The second and third reasons rotation quietly stalls are simpler but just as invisible in the portal:

How to verify — spot-checking a single device

Before building any kind of fleet-wide audit, it's worth knowing how to manually check one device, both for the cloud-native (Entra ID) view and the on-prem AD attribute for hybrid devices.

Entra ID portal — Local Administrator Password Recovery (LAPS) blade

Selecting a specific device and opening its LAPS blade shows you the account name being managed, the password's expiration timestamp, and (if you have the right role) a button to reveal the current password. The field that matters for a compliance audit is the expiration timestamp — if it's in the past, the account is overdue for rotation right now.

Entra ID — Devices — Local Administrator Password Recovery (LAPS)
DESKTOP-████████
Managed account: .\Administrator
Expired 41 days ago
Password expiration
2026-06-05 09:12:41 UTC
Read from Graph

On-prem Active Directory — msLAPS-PasswordExpirationTime for hybrid devices

For hybrid Azure AD joined devices backing LAPS credentials up to on-prem Active Directory rather than Entra ID, the equivalent attribute lives directly on the computer object. You can inspect it with ADSI Edit, or faster, with PowerShell:

PowerShell — ActiveDirectory module
Get-ADComputer -Identity "DESKTOP-████████" -Properties msLAPS-PasswordExpirationTime |
    Select-Object Name, @{Name='PasswordExpires';Expression={
        [datetime]::FromFileTime([int64]$_.'msLAPS-PasswordExpirationTime')
    }}

The attribute stores a Windows FILETIME value, so it needs converting with [datetime]::FromFileTime() before it's human-readable — a detail that trips people up the first time they query it directly.

Note: Neither of these views scales. Clicking through the LAPS blade device-by-device in the Entra portal, or running a one-off Get-ADComputer query per hostname, works for spot-checking a single reported problem device — it does not work for confidently answering "how many of our 3,000 managed endpoints have actually rotated in the last 30 days." That's the gap the audit script in the next section closes.

The fix — auditing rotation compliance with PowerShell

The script below, Get-LAPSRotationCompliance.ps1, uses the Microsoft Graph PowerShell SDK to enumerate every Windows device in the tenant, pull its Windows LAPS credential record, and classify it GREEN, AMBER, or RED based on how current its rotation actually is — then cross-references Intune's own device check-in timestamp to tell you whether a flagged device is a genuine policy conflict or simply offline.

Core logic — the Graph query and date comparison

Get-LAPSRotationCompliance.ps1 — core logic
# Connect with the scopes needed to read device + LAPS credential + Intune check-in data
Connect-MgGraph -Scopes "Device.Read.All", "DeviceLocalCredential.Read.All", "DeviceManagementManagedDevices.Read.All" -NoWelcome

$now = Get-Date
$AmberThresholdDays = 45

# Get-MgDirectoryDeviceLocalCredentialInfo returns a deviceLocalCredentialInfo object with a
# Credentials array. Each credential has PasswordExpirationDateTime and BackupDateTime.
$credInfo = Get-MgDirectoryDeviceLocalCredentialInfo -DeviceLocalCredentialInfoId $device.DeviceId

$latestCred = $credInfo.Credentials | Sort-Object BackupDateTime -Descending | Select-Object -First 1
$expiresOn   = $latestCred.PasswordExpirationDateTime
$lastRotated = $latestCred.BackupDateTime

if ($expiresOn -lt $now) {
    $status = 'RED'     # rotation has stalled - password is already expired
}
elseif (($now - $lastRotated).TotalDays -gt $AmberThresholdDays) {
    $status = 'AMBER'   # approaching staleness / possible check-in problem
}
else {
    $status = 'GREEN'
}

# Cross-check Intune's own LastSyncDateTime to tell "policy conflict" apart from "offline"
$managed = Get-MgDeviceManagementManagedDevice -Filter "azureADDeviceId eq '$($device.DeviceId)'"
if (($now - $managed.LastSyncDateTime).TotalDays -le 7) {
    $rootCause = 'Likely policy conflict (GPO vs CSP) - device checks in fine'
} else {
    $rootCause = 'Device offline - has not checked in recently'
}

The full script (embedded below and downloadable from GitHub above) wraps this logic in a loop over every Windows device in the tenant, adds a colour-coded console report, and an optional CSV export for a compliance record you can attach to an audit.

A realistic run against a pilot tenant

Here's what a first run typically surfaces — a mix of healthy devices, one approaching staleness, and — the interesting part — two devices that are checking in to Intune perfectly fine but whose LAPS password hasn't rotated in weeks, plus one device that's simply gone dark:

PowerShell 7 — .\Get-LAPSRotationCompliance.ps1
=== Connecting to Microsoft Graph ===
Connected as admin@contoso.onmicrosoft.com | Tenant: ████████-████-████-████-████████████

=== Enumerating devices ===
Pulling Entra ID device list (Get-MgDevice -All)...
Pulling Intune managed device list (Get-MgDeviceManagementManagedDevice -All)...
Found 62 Entra ID devices, 58 Intune-managed devices.

=== Evaluating LAPS rotation compliance ===

=== LAPS rotation compliance report ===
[FAIL]  FIN-LAPTOP-07          Password expired on 2026-06-05 09:12  |  Likely policy conflict (GPO vs CSP) - device checks in fine
[FAIL]  FIN-LAPTOP-11          Password expired on 2026-05-28 14:03  |  Likely policy conflict (GPO vs CSP) - device checks in fine
[FAIL]  SALES-DESKTOP-22       No LAPS record retrievable via Graph  |  Device offline - has not checked in for 96 days
[WARN]  OPS-LAPTOP-04          Last rotation was 51 days ago (threshold: 45 days)  |  Check-in slipping - investigate connectivity
[OK]    IT-LAPTOP-01           rotated 2026-07-14 06:02:11
[OK]    IT-LAPTOP-02           rotated 2026-07-13 22:41:07
[OK]    HR-LAPTOP-03           rotated 2026-07-15 05:18:44
[OK]    ...54 more devices...           all GREEN

Summary: 57 GREEN | 1 AMBER | 3 RED (out of 61 devices checked)

ACTION NEEDED: 3 device(s) have stalled or missing LAPS rotation. Review RootCause column before remediating.

Note the distinction the RootCause column draws: FIN-LAPTOP-07 and FIN-LAPTOP-11 are checking in to Intune perfectly normally — recent LastSyncDateTime — which rules out "device is unreachable" and points squarely at a policy problem on the device itself. SALES-DESKTOP-22, on the other hand, hasn't synced in 96 days; its stale LAPS record is a symptom of the device being effectively abandoned, not a policy conflict, and the remediation path is completely different.

Registry Editor — where each LAPS delivery path actually writes locally
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config
← Written when the Group Policy LAPS ADMX path is the one actually in effect
PasswordAgeDays REG_DWORD 0x0000001e (30)
PostAuthResetDelay REG_DWORD 0x00000000
BackupDirectory REG_DWORD 0x00000002 (Active Directory)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\LAPS
← Written by the Intune Settings Catalog / CSP path
PasswordAgeDays REG_DWORD 0x0000005a (90)
BackupDirectory REG_DWORD 0x00000001 (Microsoft Entra ID)
Two different PasswordAgeDays values, two different BackupDirectory targets, on the same device - only one is actually authoritative, and Windows LAPS does not tell you which.

That side-by-side is the entire problem in one screen. The device has a GPO-delivered configuration under ...\LAPS\Config saying rotate every 30 days and back up to Active Directory, and a CSP-delivered configuration under ...\PolicyManager\current\device\LAPS saying rotate every 90 days and back up to Entra ID. Whichever one the LAPS client treats as authoritative on that specific device silently wins — and the other configuration's intended rotation schedule simply never happens, with nothing logging the conflict.

Remediation steps — covering both deployment paths

Remediation sequence for a RED / conflicted device
1
Check the Intune Settings Catalog LAPS policy report for the device
Intune admin centre › Devices › Configuration › your LAPS profile › Device status. Confirm the assignment shows Succeeded and note the exact rotation frequency and backup directory value it's pushing.
2
Run gpresult /h on the device itself
From an elevated prompt on the affected device: gpresult /h C:\Temp\gpresult.html /f. Open the report and check the Administrative Templates › System › LAPS section under Applied GPOs — this tells you definitively whether a Group Policy object is still linking LAPS settings to this device or its OU.
3
Identify the conflicting GPO
If gpresult shows a LAPS-related GPO applied, open Group Policy Management, find that GPO, and check its link scope — is it linked at the domain root, or a parent OU that also contains Intune co-managed devices? This is usually how the conflict gets introduced silently during a co-management rollout.
4
Pick one path — Microsoft's guidance is to prefer Intune CSP for cloud-managed and hybrid devices
Once you've confirmed which GPO is conflicting, disable or unlink it from the affected OU (or better, use a security filtering exclusion group for the co-managed device set so you don't affect devices that genuinely still need the GPO path). Do not delete the GPO outright if other OUs still rely on it.
5
Force a policy re-sync and confirm the next rotation timestamp updates
On the device: gpupdate /force followed by triggering an Intune sync (Company Portal › Settings › Sync, or Get-MgDeviceManagementManagedDevice + Invoke-MgSyncDeviceManagementManagedDevice). Re-run the audit script 24-48 hours later and confirm the device's PasswordExpirationDateTime has moved forward to a new value.
Warning: Do not blindly disable or unlink a Group Policy object you don't fully understand across an entire OU without testing on a pilot group first. GPOs linked to a broad OU frequently carry more than just LAPS settings bundled together — disabling the whole link to "fix LAPS" can silently remove unrelated security baselines, firewall rules, or logon script assignments for every device in that OU. Isolate the LAPS-specific setting, or test the unlink against a small pilot security group before rolling it out organisation-wide.
Tip: If you're mid-migration and genuinely need both paths active for different device populations, use security filtering on the GPO (not OU structure) to scope it precisely to the devices that still need it, and confirm the Intune CSP LAPS policy is explicitly not assigned to that same security group. Keeping the two paths cleanly partitioned by group membership avoids the conflict entirely rather than relying on OU boundaries that tend to drift over time.

Proof it worked — re-running the audit after remediation

After unlinking the conflicting GPO from the two Finance devices and forcing a policy re-sync, give it 24-48 hours for the next scheduled rotation to actually execute, then re-run the exact same script:

PowerShell 7 — .\Get-LAPSRotationCompliance.ps1 (post-remediation)
=== Connecting to Microsoft Graph ===
Connected as admin@contoso.onmicrosoft.com | Tenant: ████████-████-████-████-████████████

=== Enumerating devices ===
Pulling Entra ID device list (Get-MgDevice -All)...
Pulling Intune managed device list (Get-MgDeviceManagementManagedDevice -All)...
Found 62 Entra ID devices, 60 Intune-managed devices.

=== Evaluating LAPS rotation compliance ===

=== LAPS rotation compliance report ===
[FAIL]  SALES-DESKTOP-22       No LAPS record retrievable via Graph  |  Device offline - has not checked in for 98 days
[OK]    FIN-LAPTOP-07          rotated 2026-07-17 03:14:52
[OK]    FIN-LAPTOP-11          rotated 2026-07-17 03:16:09
[OK]    OPS-LAPTOP-04          rotated 2026-07-16 22:04:31
[OK]    IT-LAPTOP-01           rotated 2026-07-14 06:02:11
[OK]    IT-LAPTOP-02           rotated 2026-07-13 22:41:07
[OK]    ...55 more devices...           all GREEN

Summary: 60 GREEN | 0 AMBER | 1 RED (out of 61 devices checked)

Both Finance laptops now show a fresh passwordExpirationDateTime generated within hours of the forced re-sync — clear proof the CSP path is now the sole authority on those devices and rotation is genuinely executing again. The Ops laptop that was AMBER also cleared once its check-in cadence recovered. SALES-DESKTOP-22 remains RED, correctly, because it's a device-offline case rather than a policy conflict — that one needs someone to physically locate the machine, not another gpupdate.

Note: Keep the CSV export from every run. A dated compliance record showing rotation status across the fleet over time is exactly the kind of evidence an internal audit or a cyber-insurance renewal questionnaire will ask for — "prove your local admin passwords rotate" is a increasingly common control to be tested against.
💼 Need this done for you?
Not sure if your LAPS deployment is actually working?

I'll audit your fleet's rotation compliance, diagnose GPO/CSP conflicts, and get every device onto a single, working deployment path.

💬 See how I can help → 📅 Book a free call

References

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Security
That AI Tool You Just Gave 'Read/Write All' to Entra and Intune…
A newly adopted AI ITSM platform just asked for Directory.ReadWrite.All. Most tenants…
Guides
Active Directory Domain Controller Hardening for Hybrid…
Domain Controllers are the highest-value target in your environment. This post covers…
Security
Secure Boot Certificate Update 2026: Fix Non-Compliant Devices…
3,052 devices showing 'Not Up to Date' in your Secure Boot Status Report? Here is the…