Knowledge Base

Back to support overview

Windows LAPS (Local Administrator Password Solution) integration in TeamViewer helps IT admins securely retrieve and inject local admin credentials during remote support sessions. This integration ensures elevated access without compromising security or exposing passwords. It works by connecting TeamViewer to Microsoft Entra ID and Intune, allowing password injection and optional rotation directly from within a TeamViewer session.

This article applies to all TeamViewer Tensor license holders.

Requirements

To use Windows LAPS integration:

  • The target device must:
    • Be a TeamViewer managed device running a TeamViewer version from 2025.
    • Have a Windows LAPS policy deployed.
    • Be Entra-joined or Intune-enrolled as a corporate device (BYOD is not supported).
  • The supporter must:
    • Use the TeamViewer full client on Windows.
    • Have permissions on the Entra tenant to access device credentials.
  • The integration must be enabled in the TeamViewer Admin settings on the web app.

How to set up Windows LAPS integration

Step 1: Connect TeamViewer to your Entra tenant

  1. Open the TeamViewer web app and go to Admin Settings ➜ General ➜ Integrations.
  2. Click Authorize to start the connection process.
  3. Sign in with a Microsoft account that has permission to authorize the connection.
  4. Confirm the connection on behalf of your company.

Step 2: Enable the LAPS integration connector

  1. In the same Integrations section, click Authorize under the LAPS integration.
  2. You’ll be redirected to Entra to approve permissions for the connector:
    • DeviceLocalCredential.Read.All
    • DeviceManagementManagedDevices.Read.All
    • DeviceManagementManagedDevices.PrivilegedOperations.All

      Note:       These are the permissions that supporters who use the LAPS integration will use through their TeamViewer client. A supporter’s device requests all passwords directly from your Intune tenant, ensuring they stay in your infrastructure.
  3. After authorization, return to TeamViewer and toggle the integration on or off.
  4. Optionally, enable password rotation after each session.

Step 3: Use the Windows LAPS integration during a session

  1. Connect to a Managed Device using the TeamViewer full client.
  2. Open the Windows LAPS integration from the session toolbar.
  3. Click Authorize with Entra and sign in.
  4. Once authorized, click Auto-fill password to inject the admin password into the remote device.

Security-related information

  • Passwords are injected securely as keystrokes and never pass through the TeamViewer backend.
  • The integration uses PKCE for secure token exchange.
  • All password requests are made from a supporters device to your Intune tenant. Passwords are never transferred through TeamViewer’s cloud infrastructure.