Every Desktop Engineer who manages Windows LAPS through Intune eventually hits the same wall: devices that should be rotating local admin passwords are not. The password stays stale. The device shows as non-compliant. Help desk can’t get in. And the Intune admin center shows no password data for that device at all.
Windows LAPS is a critical security control. Local admin password rotation stops lateral movement after a breach. When rotation breaks, you have a vulnerability that attackers target first. This article covers the real failure modes I have seen in production Intune LAPS deployments and the steps to fix each one.
How Intune LAPS Policy Applies to Devices
Before troubleshooting, you need the mental model. Intune LAPS policies do not create local accounts or set passwords. They manage an existing local administrator account on the device by controlling when and where its password is rotated and backed up.
The Windows LAPS Configuration Service Provider (CSP) on each device supports a single configuration per setting. That constraint is the root cause of most failures. When a device receives multiple Intune LAPS policies with conflicting settings, the CSP cannot reconcile them. The result: policy processing fails, no password backup occurs, and the admin center shows nothing.
LAPS policy also requires the correct directory type. You configure it to back up passwords to either Microsoft Entra ID or on-premises Active Directory. The backup directory must match the device’s join type. An Entra-only device that receives a policy targeting AD will apply the policy without error, but Windows LAPS cannot actually back up the password.
Policy Conflicts Are the Most Common Cause
The single most frequent failure is assigning multiple LAPS policies to the same device with overlapping or conflicting settings. This is easy to do when you have separate policies for different device groups that happen to overlap, or when user group assignments cause a device to receive policies meant for different user sessions.
Symptoms of a policy conflict:
- The device shows “Policy not applied” or “Policy conflict” in the Intune admin center.
- The managed local admin account section is empty for the device.
- Event Viewer on the device shows LAPS CSP errors under
Microsoft-Windows-LAPS/Operational. - Password rotation does not happen on the configured schedule.
To check for conflicts, open the affected device in the Intune admin center, navigate to Device configuration, and review the list of applied policies. If you see two or more LAPS policies with different password rotation periods, different backup directories, or different managed account names, you have a conflict.
The fix is to consolidate. Assign a single LAPS policy to each device through device groups, not user groups. User group assignments cause the policy to change every time a different user signs in, which can reset or interrupt the rotation schedule.
Backup Directory Mismatch
Each LAPS policy sets a backup directory: Microsoft Entra ID or Active Directory. Windows LAPS supports only one backup destination per device. If the device is Microsoft Entra joined and the policy targets on-premises Active Directory, the policy applies without producing a configuration error, but LAPS cannot complete the backup.
This is a silent failure. The device checks in, reports compliance, and shows the policy as applied. But the password is never backed up, and the admin center shows no password data.
To verify, confirm the device’s join type in the Microsoft Entra admin center under Devices > All devices. Then check the assigned LAPS policy’s backup directory setting. They must match. For Entra-joined devices, use Microsoft Entra ID. For hybrid or domain-joined devices, use Active Directory.
If you need devices in the same group to use different directories, create separate policies and assign them to separate device groups. Do not try to assign both policies to the same device.
Device Offline During Manual Rotation
When you manually rotate a LAPS password from the Intune admin center (the “Rotate local admin password” device action), the device must be online and able to check in with Intune. If the device is offline, the rotation request sits in a queue and eventually fails.
This is a common problem with remote laptops that are powered off or lack network connectivity. The admin center shows the rotation attempt as failed, and the old password remains in effect.
There is no retry mechanism for manual rotation requests. You must wait for the device to come online and resubmit the rotation. The device does not automatically pick up a failed manual rotation when it reconnects.
For scheduled rotation, set the password rotation period in the LAPS policy to match your operational requirements. The Windows LAPS agent handles scheduled rotation locally on the device and does not require Intune connectivity at the exact rotation time. It backs up the new password on the next successful check-in.
Local Account Does Not Match the Policy
Windows LAPS manages one local administrator account per device. You specify the account name in the policy. If that account does not exist on the device, the behavior depends on the Windows version.
On Windows 11 23H2 and earlier, specifying a non-existent account name has no effect and does not generate an error. The policy applies, but nothing happens. The local Administrator account is not managed, and no password is backed up. This is the original behavior and persists on devices that have not been updated.
On Windows 11 24H2 and later, the Automatic Account Management CSP setting can create and manage a local account specified in the policy. But you must enable this setting explicitly. If it is off, the same silent failure occurs.
To resolve this, either create the local administrator account on the device (manually or through a proactive remediation script) or configure the policy to use the built-in Administrator account (SID S-1-5-21-…-500). For 24H2 devices, enable Automatic Account Management in the LAPS policy to let Windows handle account creation.
Device Deleted or Disabled in Entra ID
When a device is deleted from Microsoft Entra ID, the LAPS credential tied to that device is permanently lost. The password stored in Entra ID is removed. There is no recovery path through Microsoft Entra ID. If you delete a device by accident, you must rejoin it to Entra ID, reapply LAPS policy, and wait for the initial backup cycle.
This has real operational consequences. Some organizations run automated device cleanup scripts that delete stale devices from Entra ID. If a device is still in use but simply has not checked in recently, its LAPS password becomes unrecoverable. Before running any Entra device cleanup, verify that the device is truly decommissioned.
A device in a disabled state in Entra ID also blocks LAPS. Windows LAPS requires the device to be enabled before password rotation and backup can apply. Re-enable the device before expecting LAPS to work.
Step-by-Step Troubleshooting Checklist
When a device shows no LAPS password data in the Intune admin center, work through this list in order.
-
Check the backup directory. Verify the LAPS policy targets the correct directory (Entra ID or AD) for the device’s join type. Fix any mismatch.
-
Review policy assignments. Open the device in Intune and check how many LAPS policies apply. If more than one, you have a conflict. Consolidate to a single policy per device through device groups.
-
Verify the managed account name. The account specified in the policy must exist on the device. For 23H2 and earlier devices, create it manually. For 24H2, enable Automatic Account Management.
-
Check device state in Entra ID. The device must be enabled and not marked as disabled or deleted. Re-enable or rejoin as needed.
-
Confirm the device is online. For manual rotation attempts, the device must be connected to Intune. Use the device check-in action to force a sync, then wait 15-30 minutes before checking the admin center.
-
Review local event logs. On the affected device, open Event Viewer and navigate to
Applications and Services Logs > Microsoft > Windows > LAPS > Operational. Look for events in the 10000-20000 range. Event 10002 typically indicates a successful backup. Events 11002 or 11004 suggest configuration or connectivity failures. -
Check device compliance. If the device has other compliance policy violations, LAPS may not function correctly. Resolve compliance issues first, then recheck LAPS.
What Windows LAPS Cannot Do
Knowing the limitations helps you set realistic expectations and avoid wasting time on unsupported scenarios.
Windows LAPS manages only one local administrator account per device. If you need multiple managed accounts, you need a third-party solution.
Workplace-joined (WPJ) devices are not supported by Intune LAPS. Only Microsoft Entra joined, hybrid joined, and domain-joined devices qualify.
Windows LAPS does not work on devices that are domain joined but also have a conflicting Group Policy setting for legacy Microsoft LAPS. If both policies are present, the conflict prevents rotation. Migrate fully from legacy LAPS to Windows LAPS before configuring Intune policies.
Manual password rotation from the Intune admin center requires the device to be online at the time of the request. There is no deferred or async rotation option.
Conclusion
Windows LAPS rotation failures in Intune almost always come from one of five causes: policy conflicts, backup directory mismatches, device state problems, missing local accounts, or device connectivity. Each has a clear diagnostic path and a fix that does not require rebuilding the device.
The most impactful change you can make in your environment is to assign LAPS policies through device groups only, avoid multiple overlapping policies, and verify the backup directory matches the device join type before deployment. These two steps eliminate the majority of support tickets around LAPS in Intune-managed environments.