Event banner
AMA: Windows LAPS
Event Ended
Wednesday, May 31, 2023, 10:30 AM PDTEvent details
Ask Microsoft Anything about Windows Local Administrator Password Solution (LAPS)! From policy configuration and password storage or retrieval to interacting with managed devices, we’ll be here to an...
Heather_Poulsen
Updated Dec 27, 2024
rerhart
May 31, 2023Copper Contributor
I have all 2016 DCs and 2016 Domain Functional Level on prem domain, along with a handful of 2016 servers, mostly 2019 servers, and Win 10/11 workstations. I won't be able to update any 2016 DCs or functional level or servers for another year or so. Would you update to the new Windows LAPS now, or wait until all servers and domain are 2019 or higher?
Cliff_Fisher
Microsoft
May 31, 2023I don't see any reason to delay deployment. You are already at the max DFL & you can protect the supported versions now while working to upgrade the rest.
- rerhartMay 31, 2023Copper ContributorOk, thanks. Just gets somewhat confusing when hear that the new Windows LAPS is only supported on 2019 and higher.
- JaySimmonsMay 31, 2023
Microsoft
rerhart sorry for that confusion. Not sure how that meme got started, but it is a complicated topic to explain.
Just to add on to Cliff's reply, you might also take a look at this topic:
Domain functional level and domain controller OS version requirements
...where I've tried to make the various tradeoffs clear.
thx,
Jay
- rerhartMay 31, 2023Copper Contributor
Great, thanks Jay. So, I can successfully enable and configure the new Windows LAPS in my 2016 functional domain with 2016 Domain Controllers (and Windows 10 & 11 workstations), but I CANNOT: 1. Use DSRM with it. 2. Use new WIndows LAPS on any 2016 and older non-DC servers...(but can use the old Microsoft LAPS on those old servers.)