By popular demand: Windows LAPS available now!
Published Apr 11 2023 10:09 AM 361K Views
Microsoft

Welcome to the new and improved Windows LAPS! That's Local Administrator Password Solution. We've been listening to your feedback and requests, and the day is finally here for both cloud and on-premises environments.

We're very happy to announce that new LAPS capabilities are coming directly to your devices starting with today's April 11, 2023 security update for the following Windows editions:

  • Windows 11 Pro, EDU, and Enterprise
  • Windows 10 Pro, EDU, and Enterprise
  • Windows Server 2022 and Windows Server Core 2022
  • Windows Server 2019

Update (10.24.2023): The Microsoft Entra scenario for Windows LAPS is now generally available! See the Microsoft Entra Blog for details.

What is LAPS?

Have you ever wanted the ability to secure the local administrator accounts on your deployed Windows devices? Have you ever needed to recover a device and wished you could log in with a local administrator account? And what about doing these tasks on Azure Active Directory-joined machines?

You might already be familiar with the existing Microsoft security product known as Local Administrator Password Solution (LAPS). LAPS has been available on the Microsoft Download Center for many years. It is used to manage the password of a specified local administrator account by regularly rotating the password and backing it up to Active Directory (AD). LAPS has proven itself to be an essential and robust building block for AD enterprise security on premises. We'll affectionally refer to this older LAPS product as "Legacy LAPS".

Windows LAPS is a huge improvement in virtually every area beyond Legacy LAPS. Let's talk about some of the exciting new capabilities that are included in this new Windows LAPS feature based on your feedback!

Natively integrated into Windows

The feature is ready to go out-of-the-box. You no longer need to install an external MSI package! Any future fixes or feature updates will be delivered via the normal Windows patching processes.

Windows LAPS supports Microsoft Entra ID

Together with Microsoft Entra ID (formerly Azure AD), Windows LAPS offers the following benefits for managing passwords in the cloud:

  • Retrieves stored passwords via Microsoft Graph.
  • Creates two new Microsoft Graph permissions for retrieving only the password "metadata" (i.e., for security monitoring apps) or the sensitive cleartext password itself.
  • Provides Azure role-based access control (Azure RBAC) policies for authoring authorization policies for password retrieval.
  • Includes Azure management portal support for retrieving and rotating passwords.
  • Helps you manage the feature via Intune!
  • Automatically rotates the password after the account is used.

New capabilities for on-premises Active Directory scenarios

Here's what you couldn't previously do with legacy LAPS, which is now available to you on premises:

  • Password encryption: Greatly improves security for these sensitive secrets!
  • Password history: Gives you the ability to log back into restored backup images.
  • Directory Services Restore Mode (DSRM) password backups: Helps keep your domain controllers secure by rotating these critical recovery passwords on a regular basis!
  • Emulation mode: Useful if you want to continue using the older LAPS policy settings and tools while preparing to migrate to the new features!
  • Automatic rotation: Automatically rotate the password after the account is used.

New features for both Microsoft Entra ID and on-premises AD scenarios

Take advantage of rich policy management, rotating the Windows LAPS account password in Intune, dedicated event log, new PowerShell module, and hybrid-joined support.

  • Rich policy management is now available via both Group Policy and Configuration Service Provider (CSP):
    • Group Policy: %windir%/PolicyDefinitions/LAPS.admx

      A screenshot of LAPS Group Policy shows password settings set to enabled in the LAPS consoleA screenshot of LAPS Group Policy shows password settings set to enabled in the LAPS console
    • CSP: ./Device/Vendor/MSFT/LAPS
  • Rotating the Windows LAPS account password on demand from Intune portal is very useful when, for example, handling a possible breach issue.
  • Dedicated event log is located under Applications and Services. See Logs > Microsoft > Windows > LAPS > Operational for improved diagnostics.

    A screenshot of LAPS Event Viewer shows a description of a selected information event under OperationalA screenshot of LAPS Event Viewer shows a description of a selected information event under Operational
  • New PowerShell module includes improved management capabilities. For example, you can now rotate the password on demand using the new Reset-LapsPassword cmdlet!

    A screenshot of PowerShell interface and script show LAPS moduleA screenshot of PowerShell interface and script show LAPS module
  • Hybrid-joined devices are fully supported.

How to use LAPS right now

We encourage you to start using the new Windows LAPS feature in your existing deployment with the April 11, 2023 update. You may consider getting started first by leveraging the new emulation mode and then migrate over to the new features in a phased manner. Or you can just jump into the new features right away – we won't mind!

We do strongly recommend adopting the new features in order to take advantage of the new security improvements. Doing this will be much more secure for these sensitive passwords, especially when stored in Active Directory with encryption enabled, or in Azure AD.

Happy LAPS-ing!

Learn more about LAPS

Want to catch up on the LAPS story? Watch this informative walkthrough:

Ready to get started? Check out our documentation and demos:

 

Note: The initial release of Windows LAPS in the April 11, 2023 update contained a legacy LAPS interop bug. This bug has been fixed as of the April 25, 2023 update for clients and the May 9, 2023 update for servers. See Legacy LAPS Interop issues with the April 11 2023 Update for more information and workarounds.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

374 Comments
Iron Contributor

Can't wait for this to be released to public! Thank you to the team that was behind this!

Brass Contributor

So if this is being enabled on clients with this months patches… what happens if those PCs already have the legacy LAPS client installed and running? 

Copper Contributor

@Andrew Allston great question, really interested to know that.

 

Also, is there any way to opt-in for the private preview? Thanks!

Microsoft

@Andrew Allston - the new Windows LAPS is designed to exist with or without the legacy LAPS client being installed.  Just don't try to configure the two to manage the same account!   If you don't want to migrate to the new Windows LAPS features just yet, you can still start the transition by utilizing legacy LAPS emulation mode.

Microsoft

@aezaratec (and for everyone else that is wondering) - the Windows LAPS Azure AD private preview is CLOSED (had to use bold caps to get the point across - did it work :-)).  We greatly appreciate the interest but right now the team is 100% focused on getting to public preview for the Azure AD scenario, which we have publicly said will happen in Q2.  Oh wait - we're in Q2 right now - not much longer! :)

Iron Contributor

@Jay Simmons Although you said it's designed to exist with or without the legacy LAPS client being installed, I assume documentation that details how to migrate between the two will be released when it's available to everyone?

Microsoft

@Marc Laflamme - I am getting a lot of "how to migrate" questions and will work on getting something formally documented.

 

Honestly though, the answer to that question was designed to be very simple.  Let's assume you are already running legacy LAPS and are targeting a local admin account called "LapsAdmin".   Here's what the migration might look like:

 

1) Extend your AD schema with the new Windows LAPS attributes

2) Add a new local admin account to your managed devices (call it "LapsAdmin2")

3) Enable the new Windows LAPS policies to target LapsAdmin2.

4) Run Windows LAPS and legacy LAPS side-by-side for as long as needed to gain confidence in the solution (and also update IT worker\helpdesk procedures, monitoring software, etc). Note you will have two (2) separately managed local managed accounts that you may choose to use during this time.

5) Once happy, remove the legacy LAPS CSE from your managed devices.

6) Delete the original LapsAdmin account.

7) (Optionally), purge the now defunct legacy LAPS policy registry entries.

Copper Contributor

I assume this is considered a feature and therefore NOT being sent to Enterprise LTSC machines, correct?

Copper Contributor

Are there any ACL modifications needed if we are already running legacy LAPS? I see Set-LapsADComputerSelfPermission mentioned in the Getting Started guide but nothing for read and reset permissions. 

Iron Contributor

Will the new LAPS PowerShell module be released at the same time as LAPS for Azure AD is released into Public preview? or is it available on a GitHub repo for installation now?

Iron Contributor

Will Windows server 2016 be supported?

What is the update (KB) of Windows Server 2019 install on Windows Laps?

I didn't quite understand how to configure the legacy LAPS emulation mode!

Iron Contributor

Windows Server 2019 Core not supported?

Which Windows 10 (KB) update installs this feature?

Iron Contributor
Iron Contributor

Will this be configurable in the Settings Catalog when it gets to public Preview?

Copper Contributor

@Jay Simmons 

What is the migration path for the most common scenario (i.e. those running LAPS with default Administrator account)?

Copper Contributor

I see the April update for Windows 2019 (KB5025229) installed in %windir%\PolicyDefinitions a new LAPS.admx file. Great, but where is the corresponding resource file?  I can't locate it.

Copper Contributor

is it possible to scope access to LAPSpasswords for different Businessunits  ( like having different Helpdeskgroups for different regions) 
i could imagine something like having an Administrative Unit with devices and have access limited to devices in this unit  - similar like its possible with Bitlocker recovery keys ?

Regards Robert

Copper Contributor

And what about Server 2016?

Copper Contributor

How is this different from the LAPS policies already available in the Intune Settings Catalog for a few months?

 

Do not allow password expiration time longer than required by policy
Enabled
Enable local admin password management
Enabled
Password Settings
Enabled

Password Complexity (Device)
Large letters + small letters + numbers + specials
Password Age (Days) (Device)
30

Microsoft

@Gabriel Luiz - I may be mistaken but isn't Windows Server 2019 Core out of support now?   

Microsoft

@S_Weel - Server 2016 is not supported.

Iron Contributor

Would be nice to have support on all current supported Operating Systems.

Windows Server 2016

Windows Server 2012 / R2

Windows 10 LTSC

Microsoft

@Gabriel Luiz,

 

>>Which Windows 10 (KB) update installs this feature?

 

Please see this topic in the LAPS documentation which has all of the links to the various KB update articles, including Windows 10.

 

Microsoft

@Bashtech ,

 

>>Are there any ACL modifications needed if we are already running legacy LAPS?

>>I see Set-LapsADComputerSelfPermission mentioned in the Getting Started guide but nothing for read and reset permissions. 

 

Yes - once your device is backing up passwords to the new Windows LAPS AD attributes, you do need to modify ACLs for those attributes separately from the ACLs you used for legacy LAPS.   Take a look in the LAPS PowerShell overview topic - there are new cmdlets for the ACL modification scenarios.

Microsoft

@WeDontWantThisAttackSurface 

 

>>What is the migration path for the most common scenario (i.e. those running LAPS with default Administrator account)?

 

If you do not want to go down the path of creating and managing a new\separate side-by-side local account, and you only want to manage the default Admin account, then the only way forward is to phase out legacy LAPS by removing the legacy LAPS GPO CSE.   Once the legacy LAPS GPO CSE is removed from a device, Windows LAPS will take over using the legacy LAPS GPO settings and continuing to manage the default Admin account.  Once that phase is over, you can decide if you want to migrate to the new Windows LAPS GPO which offers other new features.

Iron Contributor

@Jay Simmons Thanks for the details. We used the default Administrator account in our deployment - is it possible to have the new LAPS take over this? Or do you need a separate account? (I saw some tweets regarding conflicts when trying to manage the same account with both LAPS versions). -edit- I saw your post right above this one detailing this information after I initially posted.

 

There's also the other aspect of requiring LoS to a DC to obtain any new GPO's to "turn off" the legacy LAPS. In our case, we went to hybrid pre-covid and when everyone went home, most users don't require VPN to do their jobs so they don't bother connecting. This means the only point of control left is Intune. Will there be the ability to have new LAPS supercede the old one and even force the deactivation of it? Or will this require us to push out a manual Uninstall of the LAPS .MSI and manually change the regkeys set by the LAPS GPO?

Microsoft

@jvldn,

 

>>How is this different from the LAPS policies already available in the Intune Settings Catalog for a few months?

 

I think you may be looking at the legacy LAPS GPO settings as they are exposed through Intune?  Stay tuned - the new Windows LAPS settings are not yet publicly available in Intune (coming soon) and will look very similar to the settings offered by the new Windows LAPS GPO. 

Iron Contributor

In a hybrid scenario, do we need to extend the AD schema if we are only going to use Windows LAPS for Azure AD? Are ACL modification necessary?

Microsoft

@Anthonymelwhrhs ,

 

>>In a hybrid scenario, do we need to extend the AD schema if we are only going to use Windows LAPS for Azure AD? Are ACL modification necessary?

 

If you are only going to use Windows LAPS for the Azure AD scenario then no, you do not need extend the AD schema and no AD ACL modifications are needed.

Microsoft

@SteveMacNZ ,

 

>>Will the new LAPS PowerShell module be released at the same time as LAPS for Azure AD is released into Public preview?

>>or is it available on a GitHub repo for installation now?

 

The new LAPS PowerShell module is part of Windows. It is available as of the April 11th updates (yesterday).

 

The new module does have one cmdlet which is specific to the Azure AD scenario (Get-LapsAADPassword) but you will need to wait for the Azure AD scenario public preview to start using it.  For now you can refer to the Getting Started guide to get an idea of what it does.

 

Microsoft

@AlvaroFdezS ,

 

>>I see the April update for Windows 2019 (KB5025229) installed in %windir%\PolicyDefinitions a new LAPS.admx file.

>>Great, but where is the corresponding resource file?  I can't locate it.

 

It should be there - and I just verified it with a local test.  If you can repro this ping me offline.

Copper Contributor

I have the 22H2 Admx files from October. They do not seem to contain the LAPS.admx  Where can I snag this? Or will I even need it if we're waiting to use Azure?

Microsoft

@Marc Laflamme 

 

>>We used the default Administrator account in our deployment - is it possible to have the new LAPS take over this?
>>Or do you need a separate account? (I saw some tweets regarding conflicts when trying to manage the same account with both LAPS versions).
>>There's also the other aspect of requiring LoS to a DC to obtain any new GPO's to "turn off" the legacy LAPS.
>>In our case, we went to hybrid pre-covid and when everyone went home, most users don't require VPN to do their jobs so they don't bother connecting.
>>This means the only point of control left is Intune.
>>Will there be the ability to have new LAPS supercede the old one and even force the deactivation of it?
>>Or will this require us to push out a manual Uninstall of the LAPS .MSI and manually change the regkeys set by the LAPS GPO?

 

I understand the issue with the managed devices not having LOS to DCs. If your clients only have intermittent connectivity to DCs then I would be worried in general about any Active Directory-based LAPS solution working consistently. It might be better in that situation to transition immediately to backing up passwords to Azure AD (when available).

 

For the rest of your comments, it is possible to do a "rude" transition from legacy LAPS to Windows LAPS.  You would do this in the onprem AD scenario by extending the schema, modifying ACLs, then configuring the managed devices with a Windows LAPS policy that targets the default Admin account.  What happens then is that Windows LAPS will take over the management of the default Admin account and start backing up its passwords to the new Windows LAPS AD attributes.  The legacy LAPS GPO CSE is still installed at that point, will still wake up with every GPO refresh cycle, and will still try to rotate the password of the default Admin account per the traditional legacy LAPS pwd expiry algorithm.   The difference when that happens is that Windows LAPS will block legacy LAPS's attempt modification of the default Admin account password.    So you do get to your end-goal - but you still have a defunct legacy LAPS GPO CSE installed at that point which is not happy, but isn't otherwise hurting anything.  I am not an expert on how to manage remote devices wrt MSI pkg uninstallation but I would assume it's possible.

 

The same approach can be applied when transitioning from legacy LAPS directly to backing up passwords to Azure AD.

 

You had a lot of questions there, not sure I covered all of it - feel free to ping me offline.

Microsoft

@Hypnotix 

 

>>I have the 22H2 Admx files from October. They do not seem to contain the LAPS.admx  Where can I snag this? Or will I even need it if we're waiting to use Azure?

 

That seems expected to me?  Any October update will not have any Windows LAPS files.  You would need to install yesterday's updates to see the new Windows LAPS GPO templates.   

 

It will not be necessary to use the new Windows LAPS GPO templates in order to configure a device to backup passwords to Azure AD.  Most likely you would want to use the new Intune LAPS CSP support at that point.

Copper Contributor

Like @AlvaroFdezS  mentioned you can now find the LAPS.admx file in the PolicyDefinitions folder but how else can you verify that the new LAPS is installed.

 

Also like mentioned I think we need some better -How to- direction on migrating from the old to the new especially if you currently use  LAPS with default Administrator account.

Microsoft

@Chip_12 ,

 

>>Also like mentioned I think we need some better -How to- direction on migrating from the old to the new

>>especially if you currently use  LAPS with default Administrator account.

 

Yes - I have heard this feedback (need for migration guidance) loud and clear.   I will be adding content to the docs on this.

Copper Contributor

@Jay Simmons Installing yesterdays kb on our domain controller will update the admx files?

Microsoft

@Hypnotix 

 

>>Installing yesterdays kb on our domain controller will update the admx files?

 

Yes - the new LAPS admx files are now a base part of Windows, including on servers + domain controllers.

Copper Contributor

@Jay Simmons  , Jay, I pinged - via a message - with a capture in my installation....no .adml  resource file for LAPS, under %windir%\PolicyDefinition\*   after correctly installing the Apr Patch yesterday. Mine's is a spanish OS (Windows 2019), perhaps is thsi the problem?

Iron Contributor

@Jay Simmons Really appreciate the thorough response and yes I think you did answer everything and from what it sounds like will be a fairly simple implementation when Azure AD backup becomes available however there is one part that is a bit confusing - why do we need to extend the AD Schema if we're going to be using Azure AD as the backup target? Is this due to the fact that in a hybrid setup the computer accounts are synchronized from on-prem?

Copper Contributor

This is amazing

Microsoft

@Marc Laflamme 

 

>>however there is one part that is a bit confusing - why do we need to extend the AD Schema if we're going to be using Azure AD as the backup target?

>>Is this due to the fact that in a hybrid setup the computer accounts are synchronized from on-prem?

 

If your only functional goal is to backup passwords to Azure AD, then you do NOT need to extend your AD schema with the new Windows LAPS attributes.  Sorry if that was not clear all along - I think perhaps I've been so close to the design for so long that I forget these types of questions.   (I'm collecting a bunch of these questions and plan to add a FAQ page to the doc.)   

 

To be clear on your other point, there is no Windows LAPS dependency on any synchronization mechanism for hybrid (or any other) machines.  

 

 

 

Iron Contributor

@Jay Simmons ohh okay that's good to know. Just want to also make sure there's no dependency on Intune either, just Azure AD? For servers that we want to leverage this on (and cannot be managed by Intune), can we still back their passwords up to Azure? Or do we need to back them up to the local AD?

Microsoft

@Marc Laflamme ,

 

>>Just want to also make sure there's no dependency on Intune either, just Azure AD?

>>For servers that we want to leverage this on (and cannot be managed by Intune), can we still back their passwords up to Azure?

>>Or do we need to back them up to the local AD?

 

Correct, Windows LAPS does NOT have a hard dependency on Intune.   From the Windows LAPS client perspective, in order to backup passwords to Azure AD the device just needs to be AzureAD-joined, and the necessary Windows LAPS policy directives need to be deployed (if not via Intune, then via GPO or any other method).   

 

Note, I am not authoritative on which versions of Windows Server can be joined to Azure AD - but I've been told that scenario is getting more and more supported as time goes on.

Iron Contributor

@Jay Simmons This warning event in the new LAPS event viewer location is expected if we are using legacy LAPS with April's CU installed, correct? It's just saying that Windows (new LAPS) is not managing the changing of the password?

Anthonymelwhrhs_0-1681310570505.png

 

Microsoft

@Anthonymelwhrhs,

 

>>This warning event in the new LAPS event viewer location is expected if we are using legacy LAPS with April's CU installed, correct?

>>It's just saying that Windows (new LAPS) is not managing the changing of the password?

 

Your summary above is exactly correct.  Yes it's a warning event but there is no harm being caused - legacy LAPS is being left alone to do its thing, and Windows LAPS will wait in the wings until legacy LAPS is removed, OR until you configure the new Windows LAPS GPO settings (which would target the new Windows LAPS AD attributes).

 

 

Version history
Last update:
‎Nov 09 2023 09:44 AM
Updated by: