Rotate local admin password for Windows

The Rotate Local Admin Password remote action in Hexnode forces an immediate password change for local administrator accounts on Windows devices. This action is critical for security incidents—such as when a password is exposed or shared—allowing IT admins to secure the account instantly without waiting for the next scheduled rotation defined in the Hexnode LAPS policy.

How to Rotate the Password

Follow these steps to trigger an immediate password rotation:

1. Log in to the Hexnode UEM console.
2. Navigate to Manage > Devices.
3. Select the target Windows device.
4. Click Actions > Security > Rotate Local Admin password.
5. In the confirmation dialog, click Rotate.

How to Retrieve the New Password

Once the action is executed, the new password is securely stored in the console:

1. Navigate to the Device Details page of the target device.
2. Go to Local Accounts > LAPS.
3. Locate the specific admin account.
4. Click the password reveal icon (eye icon) in the Password column to view the credentials.

FAQs

Does the Rotate Local Admin Password action affect the automatic rotation schedule in LAPS policy?

Yes. Executing this action resets the rotation timer.

Example: If your LAPS policy is set to rotate every 2 days, and you manually trigger a rotation today, the next automatic rotation will occur 2 days from today, rather than the original schedule.

What is the difference between the Rotate Local Admin action and LAPS Policy?

Hexnode LAPS Policy: Defines the configuration and manages all aspects of local admin passwords (password complexity, managed accounts) and the automatic rotation schedule (e.g., every 30 days).

Rotate Local Admin password remote action: An on-demand command that overrides the schedule to change the password immediately using the settings defined in the Hexnode LAPs policy.