LAPS Passwords Should Always Be Removed from AD When switching to Entra password backup
MicrosoftHi bmkaiser00 - ok I can repro your scenario #1 (when BackupDirectory is flipped from AD -> Entra). I cannot repro your scenario #2 (flipping password complexity from password to passphrase).
Would you please re-confirm your repro on scenario #2? If you can still repro it, please run the Get-LapsDiagnostics cmdlet before and after the policy change, and upload the resultant zip files to me. If that doesn't work, I may need to work with you directly to gather some debug traces.
thx,
Jay
Hello JaySimmons - Thank you for confirming scenario #1!
After looking deeper, scenario #2 was a configuration issue on our end. We unknowingly still had the Legacy LAPS client installed on our Windows Server 2025 instances. After removing the client from those hosts, the Legacy LAPS password disappeared from AD for each computer object within 48 hours of its expiration.
- JaySimmons
That is good news.
I have edited the title of this submission to better capture the fact that the bug is on any Windows LAPS policy migration from BackupDirectory=AD to BackupDirectory=Entra.
Thanks again for reporting this.