By popular demand: Windows LAPS available now!
Published Apr 11 2023 10:09 AM 351K Views
Microsoft

Welcome to the new and improved Windows LAPS! That's Local Administrator Password Solution. We've been listening to your feedback and requests, and the day is finally here for both cloud and on-premises environments.

We're very happy to announce that new LAPS capabilities are coming directly to your devices starting with today's April 11, 2023 security update for the following Windows editions:

  • Windows 11 Pro, EDU, and Enterprise
  • Windows 10 Pro, EDU, and Enterprise
  • Windows Server 2022 and Windows Server Core 2022
  • Windows Server 2019

Update (10.24.2023): The Microsoft Entra scenario for Windows LAPS is now generally available! See the Microsoft Entra Blog for details.

What is LAPS?

Have you ever wanted the ability to secure the local administrator accounts on your deployed Windows devices? Have you ever needed to recover a device and wished you could log in with a local administrator account? And what about doing these tasks on Azure Active Directory-joined machines?

You might already be familiar with the existing Microsoft security product known as Local Administrator Password Solution (LAPS). LAPS has been available on the Microsoft Download Center for many years. It is used to manage the password of a specified local administrator account by regularly rotating the password and backing it up to Active Directory (AD). LAPS has proven itself to be an essential and robust building block for AD enterprise security on premises. We'll affectionally refer to this older LAPS product as "Legacy LAPS".

Windows LAPS is a huge improvement in virtually every area beyond Legacy LAPS. Let's talk about some of the exciting new capabilities that are included in this new Windows LAPS feature based on your feedback!

Natively integrated into Windows

The feature is ready to go out-of-the-box. You no longer need to install an external MSI package! Any future fixes or feature updates will be delivered via the normal Windows patching processes.

Windows LAPS supports Microsoft Entra ID

Together with Microsoft Entra ID (formerly Azure AD), Windows LAPS offers the following benefits for managing passwords in the cloud:

  • Retrieves stored passwords via Microsoft Graph.
  • Creates two new Microsoft Graph permissions for retrieving only the password "metadata" (i.e., for security monitoring apps) or the sensitive cleartext password itself.
  • Provides Azure role-based access control (Azure RBAC) policies for authoring authorization policies for password retrieval.
  • Includes Azure management portal support for retrieving and rotating passwords.
  • Helps you manage the feature via Intune!
  • Automatically rotates the password after the account is used.

New capabilities for on-premises Active Directory scenarios

Here's what you couldn't previously do with legacy LAPS, which is now available to you on premises:

  • Password encryption: Greatly improves security for these sensitive secrets!
  • Password history: Gives you the ability to log back into restored backup images.
  • Directory Services Restore Mode (DSRM) password backups: Helps keep your domain controllers secure by rotating these critical recovery passwords on a regular basis!
  • Emulation mode: Useful if you want to continue using the older LAPS policy settings and tools while preparing to migrate to the new features!
  • Automatic rotation: Automatically rotate the password after the account is used.

New features for both Microsoft Entra ID and on-premises AD scenarios

Take advantage of rich policy management, rotating the Windows LAPS account password in Intune, dedicated event log, new PowerShell module, and hybrid-joined support.

  • Rich policy management is now available via both Group Policy and Configuration Service Provider (CSP):
    • Group Policy: %windir%/PolicyDefinitions/LAPS.admx

      A screenshot of LAPS Group Policy shows password settings set to enabled in the LAPS consoleA screenshot of LAPS Group Policy shows password settings set to enabled in the LAPS console
    • CSP: ./Device/Vendor/MSFT/LAPS
  • Rotating the Windows LAPS account password on demand from Intune portal is very useful when, for example, handling a possible breach issue.
  • Dedicated event log is located under Applications and Services. See Logs > Microsoft > Windows > LAPS > Operational for improved diagnostics.

    A screenshot of LAPS Event Viewer shows a description of a selected information event under OperationalA screenshot of LAPS Event Viewer shows a description of a selected information event under Operational
  • New PowerShell module includes improved management capabilities. For example, you can now rotate the password on demand using the new Reset-LapsPassword cmdlet!

    A screenshot of PowerShell interface and script show LAPS moduleA screenshot of PowerShell interface and script show LAPS module
  • Hybrid-joined devices are fully supported.

How to use LAPS right now

We encourage you to start using the new Windows LAPS feature in your existing deployment with the April 11, 2023 update. You may consider getting started first by leveraging the new emulation mode and then migrate over to the new features in a phased manner. Or you can just jump into the new features right away – we won't mind!

We do strongly recommend adopting the new features in order to take advantage of the new security improvements. Doing this will be much more secure for these sensitive passwords, especially when stored in Active Directory with encryption enabled, or in Azure AD.

Happy LAPS-ing!

Learn more about LAPS

Want to catch up on the LAPS story? Watch this informative walkthrough:

Ready to get started? Check out our documentation and demos:

 

Note: The initial release of Windows LAPS in the April 11, 2023 update contained a legacy LAPS interop bug. This bug has been fixed as of the April 25, 2023 update for clients and the May 9, 2023 update for servers. See Legacy LAPS Interop issues with the April 11 2023 Update for more information and workarounds.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

374 Comments
Version history
Last update:
‎Nov 09 2023 09:44 AM
Updated by: