Event banner

AMA: Windows LAPS

Event Ended
Wednesday, May 31, 2023, 10:30 AM PDT
Online

Event details

Ask Microsoft Anything about Windows Local Administrator Password Solution (LAPS)! From policy configuration and password storage or retrieval to interacting with managed devices, we’ll be here to an...
Heather_Poulsen
Updated Dec 27, 2024
AMA
Tech Community Live
Char_Cheesman's avatar
Char_Cheesman
Bronze Contributor
May 30, 2023

Ask Microsoft Anything: Windows LAPS starts tomorrow, May 31st at 10:30 AM PT! Help us get started with questions and post them here in the Comments.

CKenoog's avatar
CKenoog
Copper Contributor
May 31, 2023

I would like to keep LAPS 6 (which is installed as a separate MSI-installed application) working as-is after installing the 2023-04 or 2023-05 Security Updates on a Windows system (Server or Client) that already has LAPS 6 installed on it.

Is "disabling the legacy Microsoft LAPS Emulation mode" the right way for this scenario, or is there another/better way?

 

If that would be the right way then I would like to know more about the options on how to disable the legacy Microsoft LAPS Emulation mode.

   I've have got the following questions regarding this:
At https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-legacy#disabling-legacy-microsoft-laps-emulation-mode
it says "To prevent this you can disable legacy Microsoft LAPS emulation mode by creating a REG_DWORD registry value named BackupDirectory under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config key and set it to the value zero (0)".
In another documentation, https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings it says "If not specified, this setting defaults to 0 (Disabled)."

   To me this begs the question: Is there a difference between specifically creating the BackupDirectory REG_DWORD registry value and setting it to value 0 (as advised in the first web page) vs. not creating the BackupDirectory REG_DWORD registry value at all?

  • If there is no difference, my reasoning would be that Windows LAPS would therefore by default running with disabled legacy Microsoft LAPS Emulation mode - correct?
  • If there is a difference, would it be possible to create the BackupDirectory REG_DWORD registry value and setting it to value 0 even before installing the 2023-04 or 2023-05 Security Updates (which include Windows LAPS) with the intention of causing Windows LAPS to pick up and honor that setting from the instant it gets enabled on a Windows system (Server or Client)?

Another question: How can one tell/detect that Windows LAPS is running with disabled legacy Microsoft LAPS Emulation mode on a given Windows system (Server or Client) - only by checking the above-mentioned Registry Key?

  • Char_Cheesman's avatar
    Char_Cheesman
    Bronze Contributor
    May 31, 2023

    Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 18:00.

Date and Time
May 31, 202310:30 AM - 11:30 AM PDT