Many customers have asked me in passing when Windows LAPS will be supported for managed devices joined to an Entra AD Domain Services domain (formerly known as Azure AD Domain Services). All I can share for now is that the owning team is aware of this ask and it is in their backlog. Please up-vote this feature to add your support!   It would also be helpful if you are willing to PM me with your company name and the # of EADDS\AADDS devices that would be Windows LAPS-enabled once the support is available.   Overview of Microsoft Entra Domain Services - Microsoft Entra ID | Microsoft Learn   thanks, Jay ... View more

Please add support for passphrases on LAPS where we can use four words dash (-) separated. It makes supporting a device remotely way easier since the password cannot be copied and pasted over remote sessions on most cases. There is too much ambiguity on charactes like “lower case L” “capital case i” and “pipe” and others. Thanks ... View more

Many customers have asked for Windows LAPS to support a suitable replacement for the legacy LAPS UI (AdmPwd.UI.exe). Yes we have the new LAPS tab in ADUC but it seems many customers don't use ADUC that much, especially for helpdesk workers.  Also, ADUC does not have the ability to display password history (frankly there's just not enough UI real-estate left in that dialog).   I would really like to hear feedback from customers on what scenarios a new Windows LAPS UI should support. Off the top of my head, it should:   1. Support targeting of a specific forest 2. Support searching for a specific computer account by various name forms, or by object picker 3. Support setting of the password expiration timestamp 4. Support retrieving of both the current password and password history   A more exotic idea would be a "RDP Connect to device" button which would combine 1) pwd retrieval; 2) on-the-fly creation of an RDP shortcut with password; 3) launching the RDP client.     Looking forward to hearing other suggestions on this topic! :) ... View more

Currently LAPS by default act on built-in local administrator user. If you want to have a new one you have to crate using different method. I think the possibility to specify a custom administrator account and have Intune create it will be very helpfull. ... View more

Create an opt-in configuration option that tells the LAPS service to not use certain characters in LAPS-generated passwords, such as o, O, 0, l, 1, etc. ... View more

Would make things easier if Microsoft implement new Features for all supported OS Versions not only for the newest.    Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows 10 LTSC ... ... View more

Posting this myself since I've heard this feedback multiple times from customers.  Termination of individual processes is useful when OTS (over-the-shoulder) elevation scenarios are being used.  (OTS scenario is where the LAPS password is used to launch an individual app via rite-click->RunAsAdministrator.) ... View more

Hello,   Some customers do not really on ADUC anymore for AD operations, but on Active Directory Administrative Center (which replaced ADUC when released) and Windows Admin Center (Active Directory extension). It would be nice if Windows LAPS tabs where also available on these tools.   Regards, ... View more

Hello, I am looking for a feature similar to legacy LAPS that allows a separately defined user in the domain to access the reading of LAPS-assigned passwords. This feature is called "auditing mode" and is used in Legacy LAPS by my C# application to read out certain passwords from devices. I am now looking for a way to integrate this process into my programme for Windows LAPS through a specified domain user and C#. ... View more

Currently, in Entra's LAPS, you can filter reports by "Last password rotation" and "Next password rotation"  It would be beneficial to also have a LAPS filter for "Password Has Expired", enabling us to take a proactive approach in investigating instances where password rotations have not occurred on specific managed devices. ... View more

Hello, Windows LAPS requires Active Directory schema update to be fully functional - such updates are often quite difficult to implement on large environments, due the amount of operational risks and approvals tied to them. With LAPS now part of the operating system instead of being on a third-app level, it would make sense to add corresponding attributes and classes to default AD schema when building a new Active Directory. Maybe for Windows Server vNext, which will include several AD enhancements for the first time in many years ?   Regards,   ... View more

how can you carry the above transition swiftly? Currently, we have on-prem LAPS install however we want to move to the new  Windows Laps any ideas? ... View more

Hey,   i tested out the laps automatic mode from the latest canary build   first of all, thank you for your work   i would like to know if this feature will be extended to windows 10 or will this only be on windows 11?   sincerely ... View more

Hello Team, I'm having a issue with a device, LAPS is changing the administrator password every hour and login me off. this is happening since this week. ... View more

Some of our servers are non persistent and are created from a template each night. If the Password needs updating logic checked the local admin account's PasswordLastSet and AD msLAPS-PasswordExpirationTime, LAPS would work perfectly for us.  The password would update and stay in sync with the Win LAPS password. Yes, I know I could disable the local admin account through policy and choose not to use LAPS on the non-persistent servers, or add a script that clears the password last change date in AD on startup.   I would prefer not to have to keep separate GPOs to resolve this issue or custom hacks to resolve something that could just be built in. It could even be an optional setting in the LAPS GPO. Example: Check local admin account last password set: True.             ... View more

We have user device which reset LAPS password three times a week while the policy is set to reset every 365 days.    The current LAPS policy is configured as follows: Policy source: CSP Backup directory: Azure Active Directory Local administrator account name: local.adm Password age in days: 365 Password complexity: 3 Password length: 12 Post authentication grace period (hours): 24 Post authentication actions: 0x1   Password updates when Event log shows below.  The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed. Account name: Local.adm Account RID: 0x3E9   How can we fix this and stop resetting the password.  ... View more

Hi, To make Windows LAPS feature work on Hybrid Azure AD join - Co-managed Devices we have concluded on POC that we should switching the workload Endpoint protection of co-managed devices to Pilot or full intune? Is this a confirmed prerequisite for the implementation (because there is no written record on the MS forums) Thanks in advance. ... View more

We are currently using the following PAA option within the LAPS policy:   "Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted."   When you login as the LAPS admin on the device the following event will be generated:   ############################## 10042 The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed. ##############################   When you now reboot the device manually before PAA execute LAPS will follow up with the following events:   ############################## 10047 A pending post-authentication reset timer has been rescheduled after a reboot.   10051 LAPS is updating the managed account password in response to a post-authentication action.   10030 LAPS is sending a message to the following endpoint.  https://enterpriseregistration.windows.net/XXXXXXX   10025 Azure discovery failed.   10005 LAPS policy processing failed with the error code below. Error code: 0x800706BA ##############################   This results in the LAPS password not being updated in AzureAD which means the password can be used again and again untill the 'next password rotation' kicks in which is makes this solution unsecure.   The Microsoft docs tells us the following for eventid 10025: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance#event-id-10025 1) Verify that you can connect successfully to the registration endpoint (https://enterpriseregistration.windows.net). If you open Microsoft Edge or Google Chrome and connect to the registration endpoint (https://enterpriseregistration.windows.net), you get a message "Endpoint not found". This message means you can connect to the Enterprise Registration Endpoint. 2) If you're using a proxy server, verify that your proxy is configured under the system context. You can open an elevated command prompt and run the netsh winhttp show proxy command to display the proxy.   We've tested this and visting https://enterpriseregistration.windows.net gives us the expected response ("Endpoint not found").   Also 10 minutes after the 10025 event it starts the processing the LAPS policy again which it does succesfully, but does not update the password as part of the PAA:   ############################## 10016 The managed account password does not need to be updated at this time.   10004 LAPS policy processing succeeded. ##############################   This also shows there is no problem reaching https://enterpriseregistration.windows.net. We've tested this both on Windows 10 and Windows 11 with latest updates. ... View more

Bonjour :) We experience a problem with post-authentication action.  Windows LAPS detect when local admin logs on.  It also writes in the event log that the password needs to be changed after the delay (24 hours) Our workstations are turned off every night. A lot of them are connected with a VPN.  When the workstation starts in the morning, VPN is down. LAPS try to change the Admin password and failed because it's offline. When VPN is up, at the next LAPS cycle, it says the password doesn't need to be changed and the password is never changed.  Is there a way to fix that ?  ... View more