Windows LAPS feedback Ideas

LAPS Passwords Should Always Be Removed from AD When switching to Entra password backup

bmkaiser00 — Mon, 22 Sep 2025 19:54:21 GMT

In our deployment of Windows LAPS, we've discovered two scenarios where the Legacy LAPS password details persists in Active Directory even though the device is now using Windows LAPS:

When changing a device's backup directory from Active Directory to Entra ID
When changing a device's LAPS password type from a password to a passphrase

In both of these scenarios, the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime properties retain information about the last LAPS password before the Windows LAPS policy was processed. These properties will now need to be cleared out to remove the no longer relevant data.

This does not happen for devices that continue to backup LAPS passwords in AD and continue to use passwords instead of passphrases. Those devices clear the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime properties and then store data in the new msLAPS properties.

We believe that the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime properties should always be cleared when a new Windows LAPS policy is processed regardless of backup directory nor password type.

Need help with new LAPS

it-support-person — Tue, 04 Mar 2025 21:21:27 GMT

Hello,

Several months ago I configured LAPS on an AD network with Windows 11 workstations, using the LAPS MSI file pushed out by a GPO. I recently installed a new Windows 11 machine on the network, and thought the GPO would push the MSI file out to it, and thus, get the new machine's local admin pw to be managed by LAPS. That didn't happen, so I tried running the MSI on the new machine locally, but got a message saying that the legacy LAPS msi was blocked from running because it was a newer version of Windows 11. My question is, how do I enable LAPS to work on a newly-added computer running the latest version of Windows 11?

Windows System Virtual Admin Credentials

Manash_Sarkar — Sun, 23 Feb 2025 10:41:56 GMT

I’m Manash Sarkar from Kolkata India. An innovative concept builder & out of box thinker. Every challenges for a smooth proper IT service delivery have instigated me to think new ways for ease in providing services.

System local admin password have seen lot of changes. Concept of changing the system local admin password (quarterly / half yearly or annually) manually to Microsoft LAPS (local admin policy system) automated across the landscape ….

Recently while performing an activity which req. the admin password credentials, faced challenge to type easily (v complex with alpha numeric & special character) LAPS. As per ISO or Microsoft credit level, LAPS is the current technology implemented across major orz. Also, the password gets automatically changed on the system as per defined domain policy.

This prompted me to think differently. Immediate need some changes….windows should develop wherein copy/ paste admin credential facility is available for windows OS systems.

Sharing more advanced feature for the MS tech team to check & have a testing done in labs.

Virtual Admin profile: Currently all windows login profile is visible physically. Develop a login (only single admin profile) which will have the admin privilege role but will not be visible in windows. When setting up windows for the first time or installing OS, Virtual Admin can be created, with password.

Result: More enhanced & secure feature.

Also roll out the concept of disable the view (blackout) front view in Windows OS, ONLY WHILE remotely accessing the system for Admin Credentials. Such identical feature already available for Microsoft Authenticator. If mobile phone screen sharing is done while providing the authenticator code, other side gets blackout. Only after providing the code the screen gets visible. Same feature should be extended for Windows, so that admin password remains secure.

Allow multiple groups for Decrypt permissions

Vico_Manolo — Wed, 27 Nov 2024 14:56:47 GMT

Request to enable the assignment of decrypt permissions to multiple groups independently.

Currently, we can assign the decrypt permission to only one group.

In our case, this requires a universal group in our forest containing both domain admins and Tier 2 admins. However, combining these two roles into a single group poses a security risk, as it increases the potential for mismanagement. Best practices generally advise against merging such privileged administrative groups.

Because of this limitation we have disabled the new encryption feature.

What are your thoughts on this?

Thanks!

Support Password resets from Office Admin Portal

MVillano — Tue, 27 Aug 2024 20:55:03 GMT

Please correct our ability to reset a password from the 365 Admin Center. The ability is offered and even appears to work by sending you a confirmation email, but of course it does not work. How can MS have this option even available if they won't support it.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback

Supports password writeback when an admin resets them from the Microsoft Entra admin center: When an admin resets a user's password in the Microsoft Entra admin center, if that user is federated or password hash synchronized, the password is written back to on-premises. This functionality is currently not supported in the Office admin portal.

Possible Bug Report - Custom Local Admin account issue

Khandre — Wed, 14 Aug 2024 23:46:30 GMT

Encountered a scenario where the a custom local account was configured for LAPS management via Intune Profile (./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName)
now we want to switch it back to have LAPS manage the built-in Local admin
Via Intune Profile, set AdministratorAccountName back to Not Configured
allowed time for policy to sync (and manual sync a few times + Invoke-LapsPolicyProcessing)
and we find the custom account is still being managed by LAPS, (LAPS events confirm this)
we find the registry key for AdministratorAccountName is still present.. when we might assume it would be removed automatically since the Policy was reversed to a Not Configured state

Is this a bug or expected behavior? If expected, that means we need to delete this registry key or LAPS will not switch to the built-in Admin.

Clarify Documentation Regarding Schema Update and GPOs for Azure AD PW Storage Scenario

DanWheeler — Fri, 19 Jul 2024 00:08:13 GMT

I'm in the process of deploying LAPS but am a bit confused about what is needed to deploy GPOs for Windows LAPS on older domain controllers. The FAQ says it is not required to update/extend the AD schema if I'm storing passwords in Azure AD but older DCs don't have the LAPS ADMX files needed to build GPOs that configure Windows LAPS to store passwords in Azure AD.

It might be helpful to clarify this in the documentation. If the solution is simply to copy ADMX files from a Win10/11 machine into the DC's sysvol folders so we can "see" the Windows LAPS policy settings, then it would be good to mention that in the docs.

Update Active Directory default schema with LAPS

Alban1998 — Fri, 16 Feb 2024 12:56:44 GMT

Hello,

Windows LAPS requires Active Directory schema update to be fully functional - such updates are often quite difficult to implement on large environments, due the amount of operational risks and approvals tied to them.

With LAPS now part of the operating system instead of being on a third-app level, it would make sense to add corresponding attributes and classes to default AD schema when building a new Active Directory.

Maybe for Windows Server vNext, which will include several AD enhancements for the first time in many years ?

Regards,

Migrate Microsoft LAPS to Windows LAPS

mrahhali — Wed, 31 Jan 2024 16:53:47 GMT

how can you carry the above transition swiftly? Currently, we have on-prem LAPS install however we want to move to the new Windows Laps any ideas?

automatic mode on windows 10

hbattilana2225 — Sat, 27 Jan 2024 11:11:11 GMT

Hey,

i tested out the laps automatic mode from the latest canary build

first of all, thank you for your work

i would like to know if this feature will be extended to windows 10 or will this only be on windows 11?

sincerely

Support Windows LAPS for Entra AD Domain Services

JaySimmons — Wed, 24 Jan 2024 16:56:55 GMT

Many customers have asked me in passing when Windows LAPS will be supported for managed devices joined to an Entra AD Domain Services domain (formerly known as Azure AD Domain Services). All I can share for now is that the owning team is aware of this ask and it is in their backlog. Please up-vote this feature to add your support!

It would also be helpful if you are willing to PM me with your company name and the # of EADDS\AADDS devices that would be Windows LAPS-enabled once the support is available.

Overview of Microsoft Entra Domain Services - Microsoft Entra ID | Microsoft Learn

thanks,

Jay

Microsoft LAPS changing password every hour

fidelcalderon — Thu, 28 Dec 2023 17:50:50 GMT

Hello Team, I'm having a issue with a device, LAPS is changing the administrator password every hour and login me off. this is happening since this week.

Revice Password Last Set logic to check local PasswordLastSet and msLAPS-PasswordExpirationTime

rk-ca-2023 — Fri, 10 Nov 2023 21:02:23 GMT

Some of our servers are non persistent and are created from a template each night. If the Password needs updating logic checked the local admin account's PasswordLastSet and AD msLAPS-PasswordExpirationTime, LAPS would work perfectly for us. The password would update and stay in sync with the Win LAPS password.

Yes, I know I could disable the local admin account through policy and choose not to use LAPS on the non-persistent servers, or add a script that clears the password last change date in AD on startup.

I would prefer not to have to keep separate GPOs to resolve this issue or custom hacks to resolve something that could just be built in. It could even be an optional setting in the LAPS GPO. Example: Check local admin account last password set: True.

Windows LAPS updates password three time in week

harrys80 — Wed, 25 Oct 2023 16:36:55 GMT

We have user device which reset LAPS password three times a week while the policy is set to reset every 365 days.

The current LAPS policy is configured as follows:
Policy source: CSP
Backup directory: Azure Active Directory
Local administrator account name: local.adm
Password age in days: 365
Password complexity: 3
Password length: 12
Post authentication grace period (hours): 24
Post authentication actions: 0x1

Password updates when Event log shows below.

The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed.
Account name: Local.adm
Account RID: 0x3E9

How can we fix this and stop resetting the password.

Auditing Access to Windows LAPS Passwords

Bordon0116 — Wed, 06 Sep 2023 12:54:05 GMT

Hello,

I am looking for a feature similar to legacy LAPS that allows a separately defined user in the domain to access the reading of LAPS-assigned passwords. This feature is called "auditing mode" and is used in Legacy LAPS by my C# application to read out certain passwords from devices.
I am now looking for a way to integrate this process into my programme for Windows LAPS through a specified domain user and C#.

Entra - LAPS Report Filter

bt102 — Mon, 28 Aug 2023 16:41:37 GMT

Currently, in Entra's LAPS, you can filter reports by "Last password rotation" and "Next password rotation"

It would be beneficial to also have a LAPS filter for "Password Has Expired", enabling us to take a proactive approach in investigating instances where password rotations have not occurred on specific managed devices.

Workload Endoint Protection is it needed for Hybrid AAD devices?

RBOULARES — Thu, 20 Jul 2023 14:11:47 GMT

Hi,

To make Windows LAPS feature work on Hybrid Azure AD join - Co-managed Devices

we have concluded on POC that we should switching the workload Endpoint protection of co-managed devices to Pilot or full intune? Is this a confirmed prerequisite for the implementation (because there is no written record on the MS forums)

Thanks in advance.

PAA 'Reset the password and reboot' fails when device is manually rebooted before PAA is executed

Atitej — Tue, 18 Jul 2023 10:23:31 GMT

We are currently using the following PAA option within the LAPS policy:

"Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted."

When you login as the LAPS admin on the device the following event will be generated:

##############################

10042

The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed.

##############################

When you now reboot the device manually before PAA execute LAPS will follow up with the following events:

##############################

10047

A pending post-authentication reset timer has been rescheduled after a reboot.

10051

LAPS is updating the managed account password in response to a post-authentication action.

10030

LAPS is sending a message to the following endpoint.

https://enterpriseregistration.windows.net/XXXXXXX

10025

Azure discovery failed.

10005

LAPS policy processing failed with the error code below.

Error code: 0x800706BA

##############################

This results in the LAPS password not being updated in AzureAD which means the password can be used again and again untill the 'next password rotation' kicks in which is makes this solution unsecure.

The Microsoft docs tells us the following for eventid 10025:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance#event-id-10025

1) Verify that you can connect successfully to the registration endpoint (https://enterpriseregistration.windows.net). If you open Microsoft Edge or Google Chrome and connect to the registration endpoint (https://enterpriseregistration.windows.net), you get a message "Endpoint not found". This message means you can connect to the Enterprise Registration Endpoint.

2) If you're using a proxy server, verify that your proxy is configured under the system context. You can open an elevated command prompt and run the netsh winhttp show proxy command to display the proxy.

We've tested this and visting https://enterpriseregistration.windows.net gives us the expected response ("Endpoint not found").

Also 10 minutes after the 10025 event it starts the processing the LAPS policy again which it does succesfully, but does not update the password as part of the PAA:

##############################

10016

The managed account password does not need to be updated at this time.

10004

LAPS policy processing succeeded.

##############################

This also shows there is no problem reaching https://enterpriseregistration.windows.net. We've tested this both on Windows 10 and Windows 11 with latest updates.

Post-Authentication failed when occurs offline

Fred_AGNES — Thu, 13 Jul 2023 17:34:49 GMT

Bonjour 🙂

We experience a problem with post-authentication action.
Windows LAPS detect when local admin logs on.
It also writes in the event log that the password needs to be changed after the delay (24 hours)

Our workstations are turned off every night. A lot of them are connected with a VPN.
When the workstation starts in the morning, VPN is down. LAPS try to change the Admin password and failed because it's offline. When VPN is up, at the next LAPS cycle, it says the password doesn't need to be changed and the password is never changed.

Is there a way to fix that ?

PasswordAgeDays and PostAuthenticationResetDelay 0/24

FeroG440 — Wed, 12 Jul 2023 12:34:50 GMT

Hi there,

would it be possible to include a feature that allows passwords to remain valid till the next rotation specified through PasswordAgeDays after they have been used?

We miss this feature from legacy LAPS. Unfortunately we cannot use it with our new azure AD joined devices.

If we leave PostAuthenticationResetDelay unconfigured the 24hour cycle is really way too tight. Leaving it at 0 makes accounts unusable after authenticating till the next scheduled or manual rotation("The password has to be changed before this account can be used").

Cheers