How to Deploy Windows LAPS via Local GPO using LGPO.exe (No Intune, No AD)

Microsoft's Local Administrator Password Solution (LAPS) is now built into modern versions of Windows and can be configured to store local admin passwords securely in Microsoft Entra ID (formerly Azure AD). If you're managing Azure AD-joined devices without Intune or on-prem Active Directory, you can still fully automate LAPS deployment using LGPO.exe.

✅ What You Need

• Windows 11 Pro (Build 22621+ recommended)
• Devices must be Azure AD-joined (cloud-only)
• LAPS must be enabled in Microsoft Entra ID for the tenant
• Admin access to Microsoft Entra to view LAPS passwords
• LGPO.exe (from Microsoft Security Compliance Toolkit)

🌐 Step 0: Enable LAPS in Microsoft Entra

Before deploying LAPS to any devices, make sure it's turned on in your tenant:

1. Go to the Microsoft Entra Admin Center
2. Navigate to Devices > Device Settings
3. Set Enable Azure AD Local Administrator Password Solution (LAPS) to Yes

🔧 Step 1: Configure a Golden Machine

On one machine, open gpedit.msc and configure the LAPS policy. Note: Exporting with LGPO.exe will include all local Group Policy settings on that machine. It’s highly recommended to create and manage a clean “baseline” device for this purpose. If you're unfamiliar with how Group Policy works or what else may be included, proceed with caution.

• Go to Computer Configuration > Administrative Templates > System > LAPS
• Enable "Configure password backup directory" and set it to Azure Active Directory
• Enable "Name of administrator account to manage" (e.g., "tphqadmin")
• Enable "Password settings" (set password length, age, complexity)

📤 Step 2: Export Local GPO with LGPO.exe

Open Command Prompt as Administrator and run:

LGPO.exe /b C:\Tools\LAPS-GPO-Backup

This exports all local GPOs (including your LAPS config) into LAPS-GPO-Backup.

📥 Step 3: Prepare Deployment Package

Create a folder with the following structure:

LAPSDeploy\
├── LGPO.exe
├── LAPS-GPO-Backup\
└── deploy-laps.cmd

deploy-laps.cmd contents:

@echo off
cd /d %~dp0
LGPO.exe /g "%~dp0LAPS-GPO-Backup"
shutdown /r /t 5 /f

📦 Step 4: Deploy Using MeshCentral or Your RMM

You can run this deployment process using any remote admin tool that gives you system-level access — whether that’s:

• Your favorite RMM platform
• Remote PowerShell
• Manual logins or scripts
• In our case: we’re using MeshCentral for direct remote terminal and file access

From MeshCentral:

1. Upload the LAPSDeploy.zip to the target machine
2. In the terminal, extract it:
   powershell -Command "Expand-Archive -Path C:\Users\Public\Desktop\LAPSDeploy.zip -DestinationPath C:\LAPSDeploy"
3. Run the deployment script:
   C:\LAPSDeploy\deploy-laps.cmd

🧪 Step 5: Verify LAPS is Working

After the system reboots, open a remote PowerShell session or reconnect via terminal and run to test the password rotation:

Reset-LapsPassword -Verbose

If this command fails with an error like E_INVALIDDOMAINSTATE, LAPS is not properly configured or hasn’t been initialized at boot.

To retrieve the local admin password, go to:

Microsoft Entra Admin Center > Devices > [Device Name] > Local Administrator Password Recovery

🧠 Notes

• This method avoids Intune, making it ideal for cost-conscious or hybrid environments
• Use a clean VM for the golden image to avoid including unrelated GPO settings
• You can script this further for automation across your client base

✅ Download the Toolkit

Download: LAPSDeploy.zip (includes LGPO.exe, LAPS GPO backup, and deployment script)

If you’re an MSP looking to standardize LAPS securely without Intune or domain overhead, this process is light, repeatable, and powerful. Let us know if you’d like a custom version of the kit tailored to your environment.