Status:
New
LAPS Passwords Should Always Be Removed from AD When switching to Entra password backup
In our deployment of Windows LAPS, we've discovered two scenarios where the Legacy LAPS password details persists in Active Directory even though the device is now using Windows LAPS:
When changi...
Hello JaySimmons - Thank you for confirming scenario #1!
After looking deeper, scenario #2 was a configuration issue on our end. We unknowingly still had the Legacy LAPS client installed on our Windows Server 2025 instances. After removing the client from those hosts, the Legacy LAPS password disappeared from AD for each computer object within 48 hours of its expiration.
JaySimmons
Microsoft
MicrosoftThat is good news.
I have edited the title of this submission to better capture the fact that the bug is on any Windows LAPS policy migration from BackupDirectory=AD to BackupDirectory=Entra.
Thanks again for reporting this.