Event banner
Event details
82 Comments
- We currently have almost 3000 Windows 10 computers integrated to domain in different offices with different policies on Windows Updates (they could be receiving updates or not) How could you confirm massively if these computers have the necessary elements to work with the new version of LAPS? By the way, thanks a lot for this wonderful solution.
- JaySimmons
Microsoft
MiguelOlmosMares - if you are randomly looking at a Win10 machine and want to know if it got the Windows LAPS update, one quick way is to check for the existence of %windir%\system32\laps.dll.
Another approach would be to open up Event Viewer and look for the existence of the Windows LAPS event log channel, see:
hth,
Jay
- What is the best way of managing legacy LAPS and Windows LAPS for different OS versions? E.g Server 2016 and 2012 R2.
- JaySimmons
Hi GreigMitchell ,
There could be multiple angles to this question. If you are referring to slicing and dicing of assigned Group Polices, there is nothing specific about Windows LAPS in that respect. If you want to make it easy, just target a difference local admin account for your Windows LAPS-capable machines and assign a blanket uniform policy to all machines. As the older machines age out, the ratio of Windows LAPS-only machines will continue to climb. Just an idea.
If you are referring to monitoring, then you do need to be aware of the different attributes that new Windows LAPS is using. See:
Windows LAPS schema extensions reference
You may need to update any homegrown monitoring solutions that you were using with legacy LAPS.
Jay
- What is the URL for the feedback?
- Heather_Poulsen
Community Manager
- Would / should Windows LAPS (possibly in connection with installed LAPS 6.2) work any different on Windows Server 2019 with the SESSION HOST-Role?
- We are looking to use LAPS to address our new use of Intune as our management of our windows desktops, servers and laptops. currently our devices have local admin accounts that were created by default during the setup that are named after the computer. is there a way using laps to enable the default local admin and ensure a secure password is assigned. I am currently trying to design a powershell script to try to do this.
- I have all 2016 DCs and 2016 Domain Functional Level on prem domain, along with a handful of 2016 servers, mostly 2019 servers, and Win 10/11 workstations. I won't be able to update any 2016 DCs or functional level or servers for another year or so. Would you update to the new Windows LAPS now, or wait until all servers and domain are 2019 or higher?
Cliff_FisherI don't see any reason to delay deployment. You are already at the max DFL & you can protect the supported versions now while working to upgrade the rest.- Ok, thanks. Just gets somewhat confusing when hear that the new Windows LAPS is only supported on 2019 and higher.
- Is the Legacy GUI for viewing LAPS passwords deprecated?
- Cliff_FisherNo.
- Thank you. Can it be used to view Windows LAPS assigned passwords? As an AD attribute, I would think so.
- Is this being recorded and if so, where will it be posted? Thanks
- Heather_PoulsenThe recording will be available immediately -- right here -- after we finish the live stream and human-generated captions will be uploaded in the next 24-48 hours.
I have spent the entire day trying to manage Windows LAPS from a workstation. RSAT tools for LAPS are not easily enabled (command documented is invalid) and is frustrating. How is this going to be improved?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 41:00.
- Cliff_FisherWhat version's RSAT tools are you trying to manage from?
- I have installed both versions of RSAT and can't tell which one is "taking precedence". The documentation on this is confusing https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-faq https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-user-interface#windows-laps-snap-in-availability The command in the second link does not work for workstations.
- LAPS was implemented in an AD 2012 R2 5 years ago however there were some problems with the MSIs so GPOs containing the LAPS settings were disabled. We are going to start the process of upgrading our AD from 2012 R2 to Windows Server 2022 with DFL 2016, do I need to have any consideration about legacy LAPS or can I start a deployment as if I had never implemented it before? What are the minimum OS requirements for domain-integrated computers and servers to work with the new AD deployment in 2022?
- Cliff_FisherYou should be fine to deploy as new - the policies for Windows LAPS and Legacy LAPS are completely different.
Do we need to keep Legacy LAPS GPO policies and Legacy LAPS Client-Side Extension (CSE) software installed on all OS’s that are pre-Windows 2019?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 31:00.
- Cliff_FisherYes. (If you wish to continue to use LAPS on those machines...)
- Thanks Cliff. Can we use Windows LAPS GPO policies to configure the pre-Windows 2019 operating systems provided we keep the CSE software installed on those machines?
