Event banner
Event details
Ask Microsoft Anything: Windows LAPS starts tomorrow, May 31st at 10:30 AM PT! Help us get started with questions and post them here in the Comments.
- Implemented today and there seems to be a disconnect between AAD and Intune when I do a manual password rotation. Audit log shows new password success, Intune Local Admin password date and time match the audit log while the device action status stays on Pending. It has been 3 hours since it went pending. I'm happy to report the rotate worked. 🙂
I would like to keep LAPS 6 (which is installed as a separate MSI-installed application) working as-is after installing the 2023-04 or 2023-05 Security Updates on a Windows system (Server or Client) that already has LAPS 6 installed on it.
Is "disabling the legacy Microsoft LAPS Emulation mode" the right way for this scenario, or is there another/better way?
If that would be the right way then I would like to know more about the options on how to disable the legacy Microsoft LAPS Emulation mode.
I've have got the following questions regarding this:
At https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-legacy#disabling-legacy-microsoft-laps-emulation-mode
it says "To prevent this you can disable legacy Microsoft LAPS emulation mode by creating a REG_DWORD registry value named BackupDirectory under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config key and set it to the value zero (0)".
In another documentation, https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings it says "If not specified, this setting defaults to 0 (Disabled)."To me this begs the question: Is there a difference between specifically creating the BackupDirectory REG_DWORD registry value and setting it to value 0 (as advised in the first web page) vs. not creating the BackupDirectory REG_DWORD registry value at all?
- If there is no difference, my reasoning would be that Windows LAPS would therefore by default running with disabled legacy Microsoft LAPS Emulation mode - correct?
- If there is a difference, would it be possible to create the BackupDirectory REG_DWORD registry value and setting it to value 0 even before installing the 2023-04 or 2023-05 Security Updates (which include Windows LAPS) with the intention of causing Windows LAPS to pick up and honor that setting from the instant it gets enabled on a Windows system (Server or Client)?
Another question: How can one tell/detect that Windows LAPS is running with disabled legacy Microsoft LAPS Emulation mode on a given Windows system (Server or Client) - only by checking the above-mentioned Registry Key?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 18:00.
- I implemented Windows Laps with apps backed up to Azure AD. Yesterday a pc lost trust with the domain and I can't trace the passwords on both Azure and Intune.
- Hello, If post Authentication Action to change password failed, because there was a lack of connection for example, it seems it will not be retried. Is it normal and, if not, will it be fixed?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 20:00.
- Sorry, my question lack some context. Test are done on LAPS in AAD, it still handle regular password rotation. Just, if we use the password on a device (we enabled password rotation with Post Authentication Action), and computer is switched off at the time it should rotate password because of Post Authentication Action, it will try next boot ASAP. I had the same issue each time, with an error to rotate password for the reason "LAPS was unable to authenticate to Azure using the device identity" and it will not retry later, so password will be changed on next "normal" Password Expiration so maybe some days later. Question is when Post Authentication Action failed to rotate password, why it is not retrying on a later time? Maybe it is hourr configuration that may block something, but I tested it internally and from home (standard internet line), and same behavior in both case. If computer is powered on and I am logged on when Post Authentication Action time is reached, then it succeed in changing password. I hope it is more clear.
- When will Windows LAPS support deployment to server 2012 R2 or server 2016? Are these server OS versions on the roadmap?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 08:00.
Cliff_FisherMicrosoft
Windows LAPS will not support 2012R2 or 2016; those OSes are out of mainstream support and do not receive new features. The best way to enjoy Windows LAPS is to upgrade to in-market supported OSes (Server 2019 and up, Windows 11, and supported versions of Windows 10)
