Event banner
Event details
82 Comments
- So, did I get that right: Windows LAPS will rotate passwords on disabled Local Administrator accounts?
- \o/
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 30:00.
- JaySimmons
Microsoft
In addition to my live response during the AMA, I wanted to add that legacy LAPS would also rotate passwords on disabled Admin accounts, so it's not really a big deal imo.
Since creating a new admin account is what was recommended, what's a clean way to create admin account via Intune? To add more context, our environment is azure-ad joined and machines are built with only a standard user account with built-in admin account disabled. I would like to bring LAPS so that there's a local admin account on these machines.
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 29:00.
- How can one tell/detect that Windows LAPS is running with disabled legacy Microsoft LAPS Emulation mode on a given Windows system (Server or Client) - only by checking the above-mentioned Registry Key?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 36:00.
- JaySimmons
If you follow the documentation...
Disabling legacy Microsoft LAPS emulation mode
...one way to detect that this is taking effect is a 10024 event log message that will look something like this:
LAPS policy is configured as disabled.
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.Jay
- Hi! We are just starting the LAPS rollout in our environment. One question about the use of the build-in administrator account. Should we create a new admin account or just enable the build-in administrator account? What do you recommend?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 21:00.
Cliff_FisherEither way works with Windows LAPS - it's completely up to you!- What is your opinion on renaming the built-in admin account?
- Is there any documentation available regarding the migration from Legacy to the new LAPS?
- Question as we are about to enable LAPS in AAD. Since we have the majority of our hybrid desktops still on legacy LAPS could we potentially enable LAPS and only deploy the device configuration policy to a subset (Azure ADJ and new hybrid builds) and run both new and legacy side-by-side for a while as we stage migrating of existing legacy LAPS devices over.?
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 12:00.
- Cliff_Fisher
Correct!
- We have Legacy Laps installed currently. Are our workstations with the legacy version installed compromised now that the new version has been pushed out via Windows Update? How do we migrate to the new version?
- Thanks Jay! The Interop issue is exactly what I was referring to. It's mentioned in this doc here, https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview. I didn't realize that this had been fixed.
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 17:00.
- Cliff_Fisher
Nothing is compromised. There was an interoperability issue between Legacy & Windows LAPS at first, but that is resolved as of the May updates. The idea is that you should be able to choose when & how to migrate your machines at your own speed.
Current AD Domain Controllers Windows Server 2012 R2 Standard. Our workstations are windows 10 and are looking to update to windows 11. We currently are using the Legacy LAPS .
- In order to use the FULL functionality of Windows LAPS, do we have to update our ADDC's to windows server 2019? 2.
- If we do not update our DCs to 2019, can we still update our regular workstations to windows 11 and use the legacy LAPS (until we update the DCs)?
- What are the specific requirements for Windows LAPS to work (other than needing the April 11 2023 Update)
- Joe_Lurie
Andrew1355 Here's the docs that Jay referred to: Get started with Windows LAPS and Windows Server Active Directory | Microsoft Learn
And the Skilling Snack that Thomas referred to: Skilling snack: Windows LAPS - Microsoft Community Hub
Thanks for participating in today's session of AMA: Windows LAPS! For reference, the panel covered this topic at around 37:00.
- Cliff_Fisher
1. Yes.
2. Yes.
3. 4B update for a Supported OS (Windows Server 2019, 2022, and supported versions of Windows 10 & Windows 11) and non-workplace-joined clients (i.e. AADJ, HAADJ, or on-prem)
- Cliff_FisherCorrection - For #1 you can use LAPS with DCs with versions prior to 2019.
- Will the new LAPS work with a Windows Server 2016 domain functional level and with 2008, 2012, 2016 servers?
- Cliff_FisherWindows LAPS is supported on Server 2019 and above and Windows 10 & Windows 11 Clients. There will not be support for out-of-mainstream-support OS versions, but Window Server 2016 DFL/FFL is perfectly fine.
- Heather_Poulsen
Community Manager
Let's get started. Post your Windows LAPS questions here in the Comments.
