![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 50%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
You can manage local administrator passwords using either on-premises LAPS or Windows LAPS via Intune, but not both simultaneously. It's important to properly offboard from the legacy LAPS setup before transitioning to cloud-based Windows LAPS.
🔹 Do devices need to be fully managed by Intune to use Windows LAPS?
No, they don’t. In a co-managed environment, you can selectively assign workloads between Configuration Manager and Intune. To manage Windows LAPS via Intune, you only need to shift the Configuration Policies workload to Intune. There's no requirement to move all workloads. Once this is done, Intune can successfully manage local admin password rotation and storage—even for co-managed devices.
🔹 How long does on-prem AD retain local admin passwords after decommissioning legacy LAPS?
Once the legacy LAPS infrastructure (GPO, LAPS client, and AD schema) is decommissioned:
- The stored passwords in Active Directory remain until:
- They are manually cleared.
- The computer object is deleted.
- A new password rotation occurs via another system (e.g., Windows LAPS).
- The computer object is deleted.
- They are manually cleared.
Without the LAPS client or GPO, no further password rotations will occur, and the stored password will become stale over time.
🕒 There is no automatic expiration of these passwords unless a custom cleanup mechanism is implemented.