Blog Post

Windows IT Pro Blog
4 MIN READ

By popular demand: Windows LAPS available now!

JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Apr 11, 2023
Welcome to the new and improved Windows LAPS! That's Local Administrator Password Solution. We've been listening to your feedback and requests, and the day is finally here for both cloud and on-premi...
Updated Nov 09, 2023
Version 7.0
security
servicing and updates
TNJeff's avatar
TNJeff
Copper Contributor
May 23, 2023

Confusing: "Initial Windows LAPS setup happens via the Azure Portal. However, Microsoft's configuration and management preference for organizations is to use Microsoft Intune... " How would initial "WINDOWS" LAPS setup happen via Azure Portal, since you earlier said, "If using Windows LAPS, there's no dependency on Azure?"

Those seem to be contradictory statements.

 

There are some major assumptions and also a lack of clarity here:

1. If MS is providing this wonderful LAPS, they also seem to be trying to push InTune. We don't have InTune and might not use it.

2. Also, those of us with unmanaged devices who do not have InTune and also do not have a Hybrid setup (pure Azure Cloud - MS managed DCs) are left out in the cold. Every article is written as if we either have InTune or have a hybrid setup - of which, we have neither.

3. If the Azure portal piece is still in limited Private preview; not available to Public, why did MS leave open the "Enable Laps" button on Device Settings in Azure?

    If it's not an open/public preview, MS should keep that button disabled. ?

Since we are NOT hybrid, NOT on Intune; and we are being cost-conscious, we instead are taking advantage of Group Policy by directly joining via Computer, Advanced Properties, Join a domain (Windows Join, but not hybrid) - instead of 'School or Work, Connect to Azure AD."

 

But, in Microsoft's pure Azure architecture, we are not true "domain admins" and cannot extend our schema. If Microsoft wants to make this universal, THEY should extend their own DC schemas to support these wonderful new attributes; otherwise, those of us in the "Grey-Join" scenario are unable to take advantage of either Windows LAPS or Azure AD LAPS. And we do NOT want the nightmare of a hybrid environment - been there, lived it! Again, we cannot extend the schema - which is a dependency for this to work! And our management does not want to buy into InTune (cost and other factors). And, instead of Azure AD-Join, we join directly to our Azure domain the old-fashioned way - so we're not hybird and yet we're also not 'Azure Registered;' we login as "Our-Domain\Our-Username" and both Group Policy and storing BitLocker keys in AD work swimmingly - so, someone please tell Microsoft to extend their own DC AD schemas, so we fringe non-Intune, non-Hybrid customers can take advantage of the LAPS features; without having to re-architect our infrastructure. Thanks, from "The Grey-Join Club." 🙂