Windows Local Administrator Password Solution with Microsoft Entra ID now generally available!
Published Oct 23 2023 09:00 AM 46K Views
Microsoft

Today we’re excited to announce the general availability of Windows Local Administrator Password Solution (LAPS) with Microsoft Entra ID and Microsoft Intune. This capability is available for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. It empowers every organization to protect and secure their local administrator account on Windows and mitigate any Pass-the-Hash (PtH) and lateral traversal type of attacks. 

 

Since our public preview announcement in April 2023, we’ve continued to see significant growth in deployment and usage of Windows LAPS across thousands of customers and millions of devices. Thank you!  

 

This feature is available on the following Windows OS platforms with the April 11, 2023, or later Windows Updates installed: 

 

  • Windows 11 22H2 
  • Windows 11 21H2 
  • Windows 10 20H2, 21H2 and 22H2 
  • Windows Server 2022 
  • Windows Server 2019 

 

To manage client-side configuration for Windows LAPS, you can use: 

 

 

We’re continuing to add support for more features based on customer feedback. Today, you can enable the following:  

  • Turn on Windows LAPS using a tenant-wide policy and a client-side policy tobackup local administrator password to Microsoft Entra ID. 
  • Configure client-side policies via Microsoft Intune portal for local administrator password management to set account name, password age, length, complexity, manual password reset and so on.  
  • Recover stored passwords via Microsoft Entra/Microsoft Intune portal or Microsoft Graph API/PSH. 
  • Enumerate all LAPS-enabled devices via Microsoft Entra portal or Microsoft Graph API/PSH. 
  • Create Microsoft Entra ID role-based access control (RBAC) policies with custom roles and administrative unitsfor authorization of password recovery. 
  • View audit logs via Microsoft Entra portal or Microsoft Graph API/PSH to monitor password update and retrieval events. 
  • Configure Conditional Access policies on directory roles that have the authorization of password recovery.  

 

sdriggers_0-1697738012529.png

 

 

 

sdriggers_1-1697738012535.png

 

 

Features on the roadmap: 

 

  • Automatic local administrator account creation when configured for Windows LAPS. 
  • Device notifying Microsoft Entra ID when local administrator password is used for authentication. 
  • JIT enabled self-service local administrator password recovery for a device owner. 

 

As always, we'd love to hear your feedback, thoughts, and suggestions! Feel free to share with us on the Microsoft Entra ID forum or leave comments below. We look forward to hearing from you.  

 

Best regards,   
Sandeep Deo (@MsftSandeep)   
Principal Product Manager   
Microsoft Identity Division  

 

 

Learn more about Microsoft Entra: 

27 Comments
Co-Authors
Version history
Last update:
‎Apr 17 2024 12:00 PM
Updated by: