Please add support for passphrases on LAPS where we can use four words dash (-) separated. It makes supporting a device remotely way easier since the password cannot be copied and pasted over remote sessions on most cases. There is too much ambiguity on charactes like “lower case L” “capital case i” and “pipe” and others. Thanks
10 Comments
- JaySimmons
Microsoft
Status changed:Working on ittoCompletedPassphrase support now available in Windows 11 24H2 and Windows Server 2025.
- JaySimmonsStatus changed:In the backlogtoWorking on it
- JaySimmons
Please check out the new Windows LAPS passphrase support (and other new features!) that dropped in today's 26040 Canary build:
Announcing Windows 11 Insider Preview Build 26040 (Canary Channel)
I am actively seeking feedback on all of these features, just lmk
Jay
That would be great Jay. As I said a middle term solution with low development impact.
thanks for considering. 🙂
- JaySimmons
To be fair, I am leaning more now towards José Luiz Schenardie's perspective. Currently considering a basic passphrase feature that is English-only with the terms (dictionary) hard-coded into Windows. No changes needed on Azure - AAD wouldn't care, to them it's just a string that the device sends.
IMO that approach would meet a majority of customer needs in this space in the short term. Longer term, I can always add a super-fancy feature (localized, customizable, etc) down the road if necessary.
Oh yeah that would be great but I can also understand Jay's concerns and arguments
I think we are overthinking here on all the possibilities of a version 5.0 of LAPS. As they say lets not let the good become the enemy of the perfect. All the scenario with custom and multi language dictionaries and support for offline versions should be indeed considered but i think adding a way of passhprase support (even if only english and only azure ad supported) could be implemented soon and tested with despite putting this feature request under an epic that might never see daylight.
thanks
- JaySimmonsStatus changed:NewtoIn the backlog
- JaySimmons
Thanks folks for raising this feedback item.
In my opinion, a properly done passphrase feature is quite a large work item. Ideally the "dictionary" would be hosted in Azure, and yes, would also support multiple languages. I would also think that an offline dictionary would be required for those onpremises devices that don't have LOS to Azure (believe it or not there are still such devices in the world). And many customers would likely want the ability to specify a custom dictionary, which would also be hosted in Azure, or maybe hosted in AD or on a sysvol share (in an encrypted format, fwiw). Lots of things to think about. This feature will likely not happen quickly - I am moving it to "Backlog" status.
Jay
I wonder where such a feature would pull its "dictionary" of possible words from and how that would work with different languages. If passphrases is not possible for these reasons, even something like a policy setting to exclude "lookalike" characters would be HUGE, since, like Jose said, that is a big pain point.
