Create an opt-in configuration option that tells the LAPS service to not use certain characters in LAPS-generated passwords, such as o, O, 0, l, 1, etc.
16 Comments
- JaySimmons
Microsoft
Status changed:Working on ittoCompletedPlease see the new PasswordComplexity=5 policy option. Now available in Windows 11 24H2 and Windows Server 2025.
- JaySimmons
Hi admin2315 ,
I think you are asking if the ability to configure the new Windows LAPS password complexity value (5) will be available in Intune. Assuming I'm correct, it looks like that ability is already there in Intune? Sample screen snippet below.
thx,
Jay
Hello, tell me please if a similar LAPS functionality is available/planned for Intune?
Thanks so much JaySimmons - looks like changing complexity value from 4 to 5 is going to fix that for us in omitting the problematic carachters to be used! That's great news!
- JaySimmonsStatus changed:In the backlogtoWorking on it
- JaySimmons
Hi JasonLoosus (and others in this thread):
Please check out the new Windows LAPS "improved readability" password complexity feature (and other new features!) that dropped in today's 26040 Canary build:
Announcing Windows 11 Insider Preview Build 26040 (Canary Channel)
I am actively seeking feedback on all of these features - just let me know.
I realize that the new "improved readability" password complexity feature does not exactly match the requested feature (configurable ability to exclude certain characters). To keep things as simple as possible, I chose instead to implement an alternate "dictionary" setting which has all of the confusing characters removed. (Plus improving the password font as used in ADUC.)
Of course, you could also just switch to using passphrases which are even better IMO. 🙂
Jay
thanks so much Jay,
I found one existing post there as well and replied to it - also linking back here:
- JaySimmons
Sebastian Pasch - I just now passed on your latest feedback to the Entra team. Otherwise the next best thing I can suggest is posting a request to fix the problem on the following Entra forum:
Microsoft Entra (Azure Active Directory) · Community
Hopefully the issue will get more visibility there. And please copy your post link back in this topic - maybe we can get a vigorous feedback loop going between the two forums :-).
thanks,
Jay
Thanks JaySimmons !
indeed we are using EntraID/intune for LAPS - we are just rolling out LAPS across our environment and fully adopting the modern management approach.
If there is any way to push for the portal update, I'd be more than happy to demonstrate the business impact.
Thanks
Sebastian Pasch
- JaySimmons
Sebastian Pasch - yep I got it.
There are two improvements in the pipeline: a new password complexity setting that uses a slightly smaller dictionary which excludes the commonly confused characters (like L and I in your example).
In addition, the LAPS tab in ADUC has been tweaked to use a simpler font:
It looks from your screen snippet that you are retrieving a password from the Entra management portal. So the ADUC fix probably won't help you, but the simpler character dictionary should. The Entra team has also received similar feedback about the fonts used to display passwords in their portal.
Thanks for the feedback!
Jay
