Microsoft
Microsoft
>>We used the default Administrator account in our deployment - is it possible to have the new LAPS take over this?
>>Or do you need a separate account? (I saw some tweets regarding conflicts when trying to manage the same account with both LAPS versions).
>>There's also the other aspect of requiring LoS to a DC to obtain any new GPO's to "turn off" the legacy LAPS.
>>In our case, we went to hybrid pre-covid and when everyone went home, most users don't require VPN to do their jobs so they don't bother connecting.
>>This means the only point of control left is Intune.
>>Will there be the ability to have new LAPS supercede the old one and even force the deactivation of it?
>>Or will this require us to push out a manual Uninstall of the LAPS .MSI and manually change the regkeys set by the LAPS GPO?
I understand the issue with the managed devices not having LOS to DCs. If your clients only have intermittent connectivity to DCs then I would be worried in general about any Active Directory-based LAPS solution working consistently. It might be better in that situation to transition immediately to backing up passwords to Azure AD (when available).
For the rest of your comments, it is possible to do a "rude" transition from legacy LAPS to Windows LAPS. You would do this in the onprem AD scenario by extending the schema, modifying ACLs, then configuring the managed devices with a Windows LAPS policy that targets the default Admin account. What happens then is that Windows LAPS will take over the management of the default Admin account and start backing up its passwords to the new Windows LAPS AD attributes. The legacy LAPS GPO CSE is still installed at that point, will still wake up with every GPO refresh cycle, and will still try to rotate the password of the default Admin account per the traditional legacy LAPS pwd expiry algorithm. The difference when that happens is that Windows LAPS will block legacy LAPS's attempt modification of the default Admin account password. So you do get to your end-goal - but you still have a defunct legacy LAPS GPO CSE installed at that point which is not happy, but isn't otherwise hurting anything. I am not an expert on how to manage remote devices wrt MSI pkg uninstallation but I would assume it's possible.
The same approach can be applied when transitioning from legacy LAPS directly to backing up passwords to Azure AD.
You had a lot of questions there, not sure I covered all of it - feel free to ping me offline.