Event details
89 Comments
- What will the new LAPS do with HAADJ devices? Will the LAP be stored on-prem and AAD, or just one or the other? Also, what about HAADJ Autopiloted devices which end up with two Azure device objects (one AADJ and one HAADJ)?
- JaySimmons
Microsoft
This new version of LAPS fully supports HAADJ devices. However, we only support storing the password in ONE directory at a time, not both. It's your choice to make via policy configuration.- Thank you for that... I assume then that only the HAADJ object in AAD will be attached to the LAPS environment? We've been trying to figure out how to resolve the multiple objects created when doing a HAADJ during Autopilot. Once the HAADJ device is ready to go, there is still a "disabled" AAD device object in Azure.
- Do we have any expected GA data so far?
- JaySimmonsCY23H1, hopefully early in that timeframe.
- Looking forward to it! Thanks
- Please tell me this will be back ported to Windows 10!
- Joe_LurieI'm curious, Marc, if this is only available in Windows 11, would that be a driver to help you convince your bosses and other teams that you should start the Windows 11 migration?
- I suspect most large companies won't adopt this until 2025 after W10 support ends if W10 isn't supported. Even if we get most of our PCs migrated to 11, I can guarantee, there will be a few stragglers on 10 right up until the end. Please consider this as a reason to backport this to 10.
- JaySimmonsFor now answer is "maybe". A win10 backport is definitely under consideration, not to get your hopes up too much, final approvals still pending.
- Most of the time we disable and rename de local admin account. What is your take on that vs or in combination with LAPS?
- Right curious how you handle the renamed admin account. We create another local account that is given to the support where the main admin account is only know by the SCCM/Desktop Team is never used.
- JaySimmonsThat is fine. You can configure LAPS to manage a different local admin account of your choosing. This is an inherited feature from the legacy version of LAPS, not anything new in this new version of LAPS.
- Will it be possible to manage more than one local account on a PC? We also create a standard account that is used by support in certain limited scenarios instead of using the admin account.
- Will the password be made visible on the device via MEM via RBAC?
- JaySimmonsA customizable RBAC authz story is planned\being worked on, for now password retrieval is limited to the Global Administrator, Device Administrator, and Intune Administrator roles. Password retrieval is done via a Microsoft Graph query, however additional Intune\MEM integration is planned (note the new LAPS CSP).
- Thank you for the reply! Is it safe to assume admin units PIM could be applied here (device admin role)
- Heather_Poulsen
Community Manager
Welcome to Managing local admin account passwords in AD and Azure AD at the Microsoft Technical Takeoff. Let's get started! Have a question? Post it here in the Comments. Subject matter experts will be answering during the session and throughout the week. We're looking forward to the conversation.
- Will we have to wait until the next version of Windows 11 (ie: 23H2) to use the AAD integration for LAPS or will the feature be backported to Windows 11 22H2?
- JaySimmonsBackports are planned however the final list of platforms is not yet approved. While things can change, I would say there is a good chance that Win11 22H2 will be included.
- Is there a way LAPS will help us manage, through Intune, the user who can be admin of all HAADJ computers not necessarily using the LAPS account ? There is role for the Admins for the AAD computers but we are struggling with the HAADJ admins.
- JaySimmonsI don't think so. You might consider posing this question to a more Intune-focused forum?
- Will LAPS device passwords be stored in a delegate-able attribute in Azure like that used for BitLocker keys?
- JaySimmonsLAPS admin account passwords are stored on the AAD device object just like Bitlocker keys. A customizable RBAC authz story is planned\being worked on, for now password retrieval is limited to the Global Administrator, Device Administrator, and Intune Administrator roles.
- Will there be a link to sign up to become a private preview customer? My firm is looking for a LAPS solution and I would like to show off this feature as something that may be something to wait for.
- JaySimmonsThe LAPS AAD private preview is closed to additional customers. Stay tuned - we hope to open it up broadly by early next year.
- Rather than wait, you could deploy regular LAPS or Cloud LAPS for now, to reduce the risk of lateral movement via a common local admin password, and switch to the newer Azure AD LAPS later once it's GA and if it works for you? https://www.microsoft.com/en-us/download/details.aspx?id=46899 https://msendpointmgr.com/cloudlaps/
- If using hybrid you could use regular LAPS or if using pure cloud you could just disable the local admin account
