Can't wait for this to be released to public! Thank you to the team that was behind this!

So if this is being enabled on clients with this months patches… what happens if those PCs already have the legacy LAPS client installed and running? 

@Andrew Allston great question, really interested to know that.

Also, is there any way to opt-in for the private preview? Thanks!

@Andrew Allston - the new Windows LAPS is designed to exist with or without the legacy LAPS client being installed.  Just don't try to configure the two to manage the same account!   If you don't want to migrate to the new Windows LAPS features just yet, you can still start the transition by utilizing legacy LAPS emulation mode.

@aezaratec (and for everyone else that is wondering) - the Windows LAPS Azure AD private preview is CLOSED (had to use bold caps to get the point across - did it work :-)).  We greatly appreciate the interest but right now the team is 100% focused on getting to public preview for the Azure AD scenario, which we have publicly said will happen in Q2.  Oh wait - we're in Q2 right now - not much longer! :)

@Jay Simmons Although you said it's designed to exist with or without the legacy LAPS client being installed, I assume documentation that details how to migrate between the two will be released when it's available to everyone?

@Marc Laflamme - I am getting a lot of "how to migrate" questions and will work on getting something formally documented.

Honestly though, the answer to that question was designed to be very simple.  Let's assume you are already running legacy LAPS and are targeting a local admin account called "LapsAdmin".   Here's what the migration might look like:

1) Extend your AD schema with the new Windows LAPS attributes

2) Add a new local admin account to your managed devices (call it "LapsAdmin2")

3) Enable the new Windows LAPS policies to target LapsAdmin2.

4) Run Windows LAPS and legacy LAPS side-by-side for as long as needed to gain confidence in the solution (and also update IT worker\helpdesk procedures, monitoring software, etc). Note you will have two (2) separately managed local managed accounts that you may choose to use during this time.

5) Once happy, remove the legacy LAPS CSE from your managed devices.

6) Delete the original LapsAdmin account.

7) (Optionally), purge the now defunct legacy LAPS policy registry entries.

I assume this is considered a feature and therefore NOT being sent to Enterprise LTSC machines, correct?

Are there any ACL modifications needed if we are already running legacy LAPS? I see Set-LapsADComputerSelfPermission mentioned in the Getting Started guide but nothing for read and reset permissions. 

Will the new LAPS PowerShell module be released at the same time as LAPS for Azure AD is released into Public preview? or is it available on a GitHub repo for installation now?

Will Windows server 2016 be supported?

What is the update (KB) of Windows Server 2019 install on Windows Laps?

I didn't quite understand how to configure the legacy LAPS emulation mode!

@Gabriel Luiz  I would say the 2019 update would be 2023-04 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5025229) 

Windows Server 2019 Core not supported?

Which Windows 10 (KB) update installs this feature?

@Gabriel Luiz 

KB5025221 applies to Windows 10 20H2 and above

https://support.microsoft.com/en-us/topic/april-11-2023-kb5025221-os-builds-19042-2846-19044-2846-an...

Will this be configurable in the Settings Catalog when it gets to public Preview?

@Jay Simmons 

What is the migration path for the most common scenario (i.e. those running LAPS with default Administrator account)?

I see the April update for Windows 2019 (KB5025229) installed in %windir%\PolicyDefinitions a new LAPS.admx file. Great, but where is the corresponding resource file?  I can't locate it.

is it possible to scope access to LAPSpasswords for different Businessunits  ( like having different Helpdeskgroups for different regions) 
i could imagine something like having an Administrative Unit with devices and have access limited to devices in this unit  - similar like its possible with Bitlocker recovery keys ?

Regards Robert

And what about Server 2016?

How is this different from the LAPS policies already available in the Intune Settings Catalog for a few months?

Do not allow password expiration time longer than required by policy
Enabled
Enable local admin password management
Enabled
Password Settings
Enabled

Password Complexity (Device)
Large letters + small letters + numbers + specials
Password Age (Days) (Device)
30

@Gabriel Luiz - I may be mistaken but isn't Windows Server 2019 Core out of support now?   

@S_Weel - Server 2016 is not supported.

Would be nice to have support on all current supported Operating Systems.

Windows Server 2016

Windows Server 2012 / R2

Windows 10 LTSC

@Gabriel Luiz,

>>Which Windows 10 (KB) update installs this feature?

Please see this topic in the LAPS documentation which has all of the links to the various KB update articles, including Windows 10.

@Bashtech ,

>>Are there any ACL modifications needed if we are already running legacy LAPS?

>>I see Set-LapsADComputerSelfPermission mentioned in the Getting Started guide but nothing for read and reset permissions. 

Yes - once your device is backing up passwords to the new Windows LAPS AD attributes, you do need to modify ACLs for those attributes separately from the ACLs you used for legacy LAPS.   Take a look in the LAPS PowerShell overview topic - there are new cmdlets for the ACL modification scenarios.

@WeDontWantThisAttackSurface 

>>What is the migration path for the most common scenario (i.e. those running LAPS with default Administrator account)?

If you do not want to go down the path of creating and managing a new\separate side-by-side local account, and you only want to manage the default Admin account, then the only way forward is to phase out legacy LAPS by removing the legacy LAPS GPO CSE.   Once the legacy LAPS GPO CSE is removed from a device, Windows LAPS will take over using the legacy LAPS GPO settings and continuing to manage the default Admin account.  Once that phase is over, you can decide if you want to migrate to the new Windows LAPS GPO which offers other new features.

@Jay Simmons Thanks for the details. We used the default Administrator account in our deployment - is it possible to have the new LAPS take over this? Or do you need a separate account? (I saw some tweets regarding conflicts when trying to manage the same account with both LAPS versions). -edit- I saw your post right above this one detailing this information after I initially posted.

There's also the other aspect of requiring LoS to a DC to obtain any new GPO's to "turn off" the legacy LAPS. In our case, we went to hybrid pre-covid and when everyone went home, most users don't require VPN to do their jobs so they don't bother connecting. This means the only point of control left is Intune. Will there be the ability to have new LAPS supercede the old one and even force the deactivation of it? Or will this require us to push out a manual Uninstall of the LAPS .MSI and manually change the regkeys set by the LAPS GPO?

@jvldn,

>>How is this different from the LAPS policies already available in the Intune Settings Catalog for a few months?

I think you may be looking at the legacy LAPS GPO settings as they are exposed through Intune?  Stay tuned - the new Windows LAPS settings are not yet publicly available in Intune (coming soon) and will look very similar to the settings offered by the new Windows LAPS GPO. 

In a hybrid scenario, do we need to extend the AD schema if we are only going to use Windows LAPS for Azure AD? Are ACL modification necessary?

@Anthonymelwhrhs ,

>>In a hybrid scenario, do we need to extend the AD schema if we are only going to use Windows LAPS for Azure AD? Are ACL modification necessary?

If you are only going to use Windows LAPS for the Azure AD scenario then no, you do not need extend the AD schema and no AD ACL modifications are needed.

@SteveMacNZ ,

>>Will the new LAPS PowerShell module be released at the same time as LAPS for Azure AD is released into Public preview?

>>or is it available on a GitHub repo for installation now?

The new LAPS PowerShell module is part of Windows. It is available as of the April 11th updates (yesterday).

The new module does have one cmdlet which is specific to the Azure AD scenario (Get-LapsAADPassword) but you will need to wait for the Azure AD scenario public preview to start using it.  For now you can refer to the Getting Started guide to get an idea of what it does.

@AlvaroFdezS ,

>>I see the April update for Windows 2019 (KB5025229) installed in %windir%\PolicyDefinitions a new LAPS.admx file.

>>Great, but where is the corresponding resource file?  I can't locate it.

It should be there - and I just verified it with a local test.  If you can repro this ping me offline.

I have the 22H2 Admx files from October. They do not seem to contain the LAPS.admx  Where can I snag this? Or will I even need it if we're waiting to use Azure?

@Marc Laflamme 

>>We used the default Administrator account in our deployment - is it possible to have the new LAPS take over this?
>>Or do you need a separate account? (I saw some tweets regarding conflicts when trying to manage the same account with both LAPS versions).
>>There's also the other aspect of requiring LoS to a DC to obtain any new GPO's to "turn off" the legacy LAPS.
>>In our case, we went to hybrid pre-covid and when everyone went home, most users don't require VPN to do their jobs so they don't bother connecting.
>>This means the only point of control left is Intune.
>>Will there be the ability to have new LAPS supercede the old one and even force the deactivation of it?
>>Or will this require us to push out a manual Uninstall of the LAPS .MSI and manually change the regkeys set by the LAPS GPO?

I understand the issue with the managed devices not having LOS to DCs. If your clients only have intermittent connectivity to DCs then I would be worried in general about any Active Directory-based LAPS solution working consistently. It might be better in that situation to transition immediately to backing up passwords to Azure AD (when available).

For the rest of your comments, it is possible to do a "rude" transition from legacy LAPS to Windows LAPS.  You would do this in the onprem AD scenario by extending the schema, modifying ACLs, then configuring the managed devices with a Windows LAPS policy that targets the default Admin account.  What happens then is that Windows LAPS will take over the management of the default Admin account and start backing up its passwords to the new Windows LAPS AD attributes.  The legacy LAPS GPO CSE is still installed at that point, will still wake up with every GPO refresh cycle, and will still try to rotate the password of the default Admin account per the traditional legacy LAPS pwd expiry algorithm.   The difference when that happens is that Windows LAPS will block legacy LAPS's attempt modification of the default Admin account password.    So you do get to your end-goal - but you still have a defunct legacy LAPS GPO CSE installed at that point which is not happy, but isn't otherwise hurting anything.  I am not an expert on how to manage remote devices wrt MSI pkg uninstallation but I would assume it's possible.

The same approach can be applied when transitioning from legacy LAPS directly to backing up passwords to Azure AD.

You had a lot of questions there, not sure I covered all of it - feel free to ping me offline.

@Hypnotix 

>>I have the 22H2 Admx files from October. They do not seem to contain the LAPS.admx  Where can I snag this? Or will I even need it if we're waiting to use Azure?

That seems expected to me?  Any October update will not have any Windows LAPS files.  You would need to install yesterday's updates to see the new Windows LAPS GPO templates.   

It will not be necessary to use the new Windows LAPS GPO templates in order to configure a device to backup passwords to Azure AD.  Most likely you would want to use the new Intune LAPS CSP support at that point.

Like @AlvaroFdezS  mentioned you can now find the LAPS.admx file in the PolicyDefinitions folder but how else can you verify that the new LAPS is installed.

Also like mentioned I think we need some better -How to- direction on migrating from the old to the new especially if you currently use  LAPS with default Administrator account.

@Chip_12 ,

>>Also like mentioned I think we need some better -How to- direction on migrating from the old to the new

>>especially if you currently use  LAPS with default Administrator account.

Yes - I have heard this feedback (need for migration guidance) loud and clear.   I will be adding content to the docs on this.

@Jay Simmons Installing yesterdays kb on our domain controller will update the admx files?

@Hypnotix 

>>Installing yesterdays kb on our domain controller will update the admx files?

Yes - the new LAPS admx files are now a base part of Windows, including on servers + domain controllers.

@Jay Simmons  , Jay, I pinged - via a message - with a capture in my installation....no .adml  resource file for LAPS, under %windir%\PolicyDefinition\*   after correctly installing the Apr Patch yesterday. Mine's is a spanish OS (Windows 2019), perhaps is thsi the problem?

@Jay Simmons Really appreciate the thorough response and yes I think you did answer everything and from what it sounds like will be a fairly simple implementation when Azure AD backup becomes available however there is one part that is a bit confusing - why do we need to extend the AD Schema if we're going to be using Azure AD as the backup target? Is this due to the fact that in a hybrid setup the computer accounts are synchronized from on-prem?

This is amazing

@Marc Laflamme 

>>however there is one part that is a bit confusing - why do we need to extend the AD Schema if we're going to be using Azure AD as the backup target?

>>Is this due to the fact that in a hybrid setup the computer accounts are synchronized from on-prem?

If your only functional goal is to backup passwords to Azure AD, then you do NOT need to extend your AD schema with the new Windows LAPS attributes.  Sorry if that was not clear all along - I think perhaps I've been so close to the design for so long that I forget these types of questions.   (I'm collecting a bunch of these questions and plan to add a FAQ page to the doc.)   

To be clear on your other point, there is no Windows LAPS dependency on any synchronization mechanism for hybrid (or any other) machines.  

@Jay Simmons ohh okay that's good to know. Just want to also make sure there's no dependency on Intune either, just Azure AD? For servers that we want to leverage this on (and cannot be managed by Intune), can we still back their passwords up to Azure? Or do we need to back them up to the local AD?

@Marc Laflamme ,

>>Just want to also make sure there's no dependency on Intune either, just Azure AD?

>>For servers that we want to leverage this on (and cannot be managed by Intune), can we still back their passwords up to Azure?

>>Or do we need to back them up to the local AD?

Correct, Windows LAPS does NOT have a hard dependency on Intune.   From the Windows LAPS client perspective, in order to backup passwords to Azure AD the device just needs to be AzureAD-joined, and the necessary Windows LAPS policy directives need to be deployed (if not via Intune, then via GPO or any other method).   

Note, I am not authoritative on which versions of Windows Server can be joined to Azure AD - but I've been told that scenario is getting more and more supported as time goes on.

@Jay Simmons This warning event in the new LAPS event viewer location is expected if we are using legacy LAPS with April's CU installed, correct? It's just saying that Windows (new LAPS) is not managing the changing of the password?

@Anthonymelwhrhs,

>>This warning event in the new LAPS event viewer location is expected if we are using legacy LAPS with April's CU installed, correct?

>>It's just saying that Windows (new LAPS) is not managing the changing of the password?

Your summary above is exactly correct.  Yes it's a warning event but there is no harm being caused - legacy LAPS is being left alone to do its thing, and Windows LAPS will wait in the wings until legacy LAPS is removed, OR until you configure the new Windows LAPS GPO settings (which would target the new Windows LAPS AD attributes).