Event banner
Event details
89 Comments
- Heather_Poulsen
Community Manager
Link referenced in this session:
- I saw that this will be available to Windows 11 machines, and when I attended, they were not sure about Windows 10. Do we know if they are planning for us to be able to use this for our Windows 10 clients? If not, what is the recommendation for organizations that are trying to go full cloud management for LAPs? I have seen some work arounds out there but is that what Microsoft is recommending?
- JaySimmons
Microsoft
Hi Danea - this info is fresh off the presses - I am happy to say that we are definitely planning to backport this new version of LAPS on Windows 10. You can watch this doc link for future updates: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status
- Will this ship to Azure Gov at the same time as Commercial? Thanks.
- JaySimmonsGov availability dates are not yet available please stay tuned for more announcements early next year.
- What does the password look like - is it just a stream of random characters, or does it also support Diceware/passphrases? When needing to login at the console of a computer where we need to manually type out the characters, typing in a random stream of characters is much more difficult than typing out a Diceware/passphrase password. Thanks.
- JaySimmonsThis new version of Windows LAPS inherits the same password generation algorithm that existed in the previous version. It uses a random series of characters, defaulting to containing lower-case letter, upper-case letters, numbers, and "special" characters. You can also control length of the password (default is 14 characters long).
- Thanks for confirming that Jay! Is there any planned support for Diceware style passwords so they are easier to type into the console when copy/paste can't be used (unfortunately it's in these manual scenarios we often need the local admin password). Thanks!
Passphrases are supported in https://www.synergix.com/products/secrets-vault/editions/
- Can you provide some examples of passphrases - are they common passphrases, or more like a Diceware password where they are random words put together? However I'd still like to hear from the MS team as to what the new LAPS product offers, and whether there is any planned support for Diceware passwords.
If there is an issue with a device not being properly HAADJ, and the Backup Directory is set to "Azure Active Directory", is it possible that the local admin password can be reset locally, but that password is never saved in AAD? Or does the new LAPS product detect for this and not change the password until it can save the password?
- JaySimmonsNo this is not possible. New passwords are not saved locally on the managed account until they are first successfully persisted to the configured directory.
Is support for multiple local usernames planned, or does MS intend to support a single local account only? We have a use case where we need to support multiple local admins/usernames, and also use these unique local usernames to help with third party MFA authentication for the various teams that require these different usernames.
- JaySimmonsIn the current version of Windows LAPS only management of a single account is supported.
- Thanks is multiple account support on the roadmap, or does MS plan to only support 1 account?
- Will password history be available for the Azure AD scenario?
- JaySimmonsThere is limited password history support when storing passwords in Azure AD. "Limited" is currently defined as 2-3 older passwords.
- In SYNERGIX SEVA, password history holds 500 total entries, for each one of the three managed local accounts. Assuming you change the password every week, you can go back 10 years. Even if the device is deleted from AAD or ADDS, you can still get to the password history. Lastly, with SYNERGIX SEVA, unlike with Windows LAPS, you don’t have to enable the Built-In Administrator Account with well-known SID, to gain elevated privileges. You can use Backup Administrator account or the Local User account, depending upon the use case.
- Heather_Poulsen
Looking for more demos on LAPS? Check out Jay's four (yes, 4!) additional demos in the Technical Takeoff Demo Channel.
- Modern LAPS: managing in both AD and Azure AD (skip to 59:25:00)
- LAPS: Domain joined scenario (skip to 1:48:06)
- LAPS: Domain controller scenario (skip to 2:31:10)
- LAPS: Legacy LAPS emulation scenario (skip to 2:57:49)
We'll get these demos posted solo early next week (or sooner). Subscribe to our YouTube channel for updates!
- Here is the current laps from the presentation: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview AAD is in private preview at this moment
- Hi Kurt! Is it possible to "synchronize" the on-prem attributes to an Azure AD instance? Therefore overcoming the one option or other obstacle?
- JaySimmonsHi James, in general I am sure there is a way to synchronize on-prem AD state into an Azure AD tenant directory, but I do not think there is a way to synchronize the on-prem LAPS state into the corresponding LAPS attributes at the AAD level. The LAPS AAD attributes are not "general purpose" - read\write access to them is fairly constrained.
- Windows LAPS sounds awesome! Great session, thanks Jay!
- Thank you for your time devoted to LAPS. Will look into moving towards the new encryption as time allows. One question though... When restoring a "Computer" from media, it may maintain the previous password set. However, will restoring the Computer Object from deletion in AD to the same timeframe also in theory synchroize the password? At times it is necessary to restore a computer previously deleted from AD...
- JaySimmonsHi James, When you restore a deleted Computer object in AD, the object will be restored with whatever LAPS passwords were on the object when it was deleted in the first place. There is no automatic synchronization support related to LAPS in this scenario. Once the computer is up and running again and has a re-established trust channel with the AD domain, the LAPS client logic will continue to rotate the password as required. If the Computer object was deleted for a long time, it is very likely that the password-expiry timestamp has long since passed, in which case the LAPS client logic will rotate the password very soon. I am not 100% sure I answered your question, lmk if not.
- To a certain extent you have answered my question the way I figured it would be. As long as the password attribute is visible to the back-up\restoration process, the restored Computer object will retain the timestamped password until trust is restored and expiration forces a change. Thanks!
- How about backporting the new LAPS to Windows Server 2022 & 2019? The new on-prem LAPS features are great, but it will need to support the current server OS versions.
- JaySimmonsThe new LAPS fully supports Windows Server in general (obviously DSRM support is only applicable to AD domain controllers which run only on Server skus.). Stay tuned to docs and\or future announcements for specific backport platforms - for now we're at "maybe" for WS2022 and WS2019.
- Have you considered Synergix SEVA, which already supports Window 7.0 SP1 to Windows 11, Windows Server 2008/R2 to Windows Server 2022, macOS and Linux, including fully supported on OpenVPN appliances? Using Open API, you can integrate with 3rd party applications like serviceNow or custom applications. Support for VMWare ESXi is planned and for applications like MS SQL's sa account password rotation all in one product. You can partner with Synergix to discuss special use cases too. https://www.synergix.com/contact/ https://www.synergix.com/products/secrets-vault/compare/
