Event banner

AMA: Windows LAPS

Event Ended
Wednesday, May 31, 2023, 10:30 AM PDT
Online

Event details

Ask Microsoft Anything about Windows Local Administrator Password Solution (LAPS)! From policy configuration and password storage or retrieval to interacting with managed devices, we’ll be here to answer your questions.

If you’re unfamiliar, Windows LAPS is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. Want to know more about getting started with Windows LAPS with Microsoft Entra (Azure AD) and Microsoft Intune support, which arrived in public preview on April 21, 2023? Need more details on how and where passwords are stored in on-premises Active Directory? Looking to better understand your policy management and monitoring options? We’ll do our best to answer all of your questions during this live event!

Post your questions in the Comments below. We'll have experts responding in the live stream and others in chat.

 

Heather_Poulsen
Updated Dec 27, 2024
AMA
Tech Community Live

82 Comments

Show More
  • rrenstrom's avatar
    rrenstrom
    Brass Contributor
    May 31, 2023

    For reading the the LAPS stored passwords from Intune, will there be an Intune Role Based Access Control that can assigned to administrators in scope tag groups, to support a distributed IT model in a tenant, allowing regional admins to retrieve the passwords just for the devices in their scope? I understand Azure AD administrative units would be one way to handle this, but it would be great if Intune scope tags could offer similar functionality.

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    May 31, 2023
    Just wanted to drop by to see/hear Jay talking about laps :P... as he already answered my weird questions earlier on ... So please say hi for me to jay 🙂
  • Char_Cheesman's avatar
    Char_Cheesman
    Bronze Contributor
    May 30, 2023

    Ask Microsoft Anything: Windows LAPS starts tomorrow, May 31st at 10:30 AM PT! Help us get started with questions and post them here in the Comments.

    • clshores's avatar
      clshores
      Copper Contributor
      May 31, 2023
      Implemented today and there seems to be a disconnect between AAD and Intune when I do a manual password rotation. Audit log shows new password success, Intune Local Admin password date and time match the audit log while the device action status stays on Pending. It has been 3 hours since it went pending. I'm happy to report the rotate worked. 🙂
    • CKenoog's avatar
      CKenoog
      Copper Contributor
      May 31, 2023

      I would like to keep LAPS 6 (which is installed as a separate MSI-installed application) working as-is after installing the 2023-04 or 2023-05 Security Updates on a Windows system (Server or Client) that already has LAPS 6 installed on it.

      Is "disabling the legacy Microsoft LAPS Emulation mode" the right way for this scenario, or is there another/better way?

       

      If that would be the right way then I would like to know more about the options on how to disable the legacy Microsoft LAPS Emulation mode.

         I've have got the following questions regarding this:
      At https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-legacy#disabling-legacy-microsoft-laps-emulation-mode
      it says "To prevent this you can disable legacy Microsoft LAPS emulation mode by creating a REG_DWORD registry value named BackupDirectory under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config key and set it to the value zero (0)".
      In another documentation, https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings it says "If not specified, this setting defaults to 0 (Disabled)."

         To me this begs the question: Is there a difference between specifically creating the BackupDirectory REG_DWORD registry value and setting it to value 0 (as advised in the first web page) vs. not creating the BackupDirectory REG_DWORD registry value at all?

      • If there is no difference, my reasoning would be that Windows LAPS would therefore by default running with disabled legacy Microsoft LAPS Emulation mode - correct?
      • If there is a difference, would it be possible to create the BackupDirectory REG_DWORD registry value and setting it to value 0 even before installing the 2023-04 or 2023-05 Security Updates (which include Windows LAPS) with the intention of causing Windows LAPS to pick up and honor that setting from the instant it gets enabled on a Windows system (Server or Client)?

      Another question: How can one tell/detect that Windows LAPS is running with disabled legacy Microsoft LAPS Emulation mode on a given Windows system (Server or Client) - only by checking the above-mentioned Registry Key?

      • Char_Cheesman's avatar
        Char_Cheesman
        Bronze Contributor
        May 31, 2023

        Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 18:00.

    • Matte210's avatar
      Matte210
      Occasional Reader
      May 31, 2023
      I implemented Windows Laps with apps backed up to Azure AD. Yesterday a pc lost trust with the domain and I can't trace the passwords on both Azure and Intune.
Date and Time
May 31, 202310:30 AM - 11:30 AM PDT