Blog Post

Windows IT Pro Blog
4 MIN READ

By popular demand: Windows LAPS available now!

JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Apr 11, 2023
Welcome to the new and improved Windows LAPS! That's Local Administrator Password Solution. We've been listening to your feedback and requests, and the day is finally here for both cloud and on-premi...
Updated Nov 09, 2023
Version 7.0
security
servicing and updates
JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Apr 25, 2023

Hi briangw 

 

>> I saw your posts on Reddit saying that Windows LAPS can work with 2016 DCs.

>>Our environment is currently on 2016 and we set up (legacy) LAPS years ago.

>>So, we have the schema updated from before, but the current update schema command does not work, I am guessing because of trying this on the 2016 DCs.

 

You can still deploy Windows LAPS if all of your DCs are 2016.   I am still working on making this explanation more succinct (and getting it into the docs), but here is my current summary:

 

  1. If you are below 2016 DFL, you cannot enable Windows LAPS password encryption.
  2. If you are at 2016 DFL but are still running some or all WS2016 DCs, those WS2016 DCs do not have Windows LAPS and cannot use the DSRM-password mgmt feature.
  3. Other clients (Windows 11, Windows 10, Server 2022 and Server 2019 (acting as LAPS clients not DCs) will interop just fine with WS2016 DCs when storing new LAPS passwords.

>>But I figure we need something updated so that this will show up in AD. So, how do we go about getting this to work so that it will show up?

 

I assume you are referring to the need to update your schema with the new Windows LAPS attributes.  You will have to run the Update-LapsADSchema attribute from a domain-joined 2019 or higher client with the Windows LAPS update (or temporarily promote a 2019 or higher DC into your domain, if schema extensions are required by policy to be done only from a DC).

 

Jay