Welcome to the new and improved Windows LAPS! That’s Local Administrator Password Solution. We’ve been listening to your feedback and requests, and the day is finally here for both cloud and on-premises environments.
We’re very happy to announce that new LAPS capabilities are coming directly to your devices starting with today’s April 11, 2023 security update for the following Windows editions:
- Windows 11 Pro, EDU, and Enterprise
- Windows 10 Pro, EDU, and Enterprise
- Windows Server 2022 and Windows Server Core 2022
- Windows Server 2019
What is LAPS?
Have you ever wanted the ability to secure the local administrator accounts on your deployed Windows devices? Have you ever needed to recover a device and wished you could log in with a local administrator account? And what about doing these tasks on Azure Active Directory-joined machines?
You might already be familiar with the existing Microsoft security product known as Local Administrator Password Solution (LAPS). LAPS has been available on the Microsoft Download Center for many years. It is used to manage the password of a specified local administrator account by regularly rotating the password and backing it up to Active Directory (AD). LAPS has proven itself to be an essential and robust building block for AD enterprise security on premises. We’ll affectionally refer to this older LAPS product as “Legacy LAPS”.
The LAPS scenario in Azure AD, now part of Microsoft Entra, will shift from private to public preview later this quarter. Windows LAPS is a huge improvement in virtually every area beyond Legacy LAPS. Let’s talk about some of the exciting new capabilities that are included in this new Windows LAPS feature based on your feedback!
Natively integrated into Windows
The feature is ready to go out-of-the-box. You no longer need to install an external MSI package! Any future fixes or feature updates will be delivered via the normal Windows patching processes.
LAPS supports Azure Active Directory (in private preview)
Together with Azure AD, LAPS offers the following benefits for managing passwords in the cloud, currently in private preview:
- Retrieves stored passwords via Microsoft Graph.
- Creates two new Microsoft Graph permissions for retrieving only the password “metadata” (i.e., for security monitoring apps) or the sensitive cleartext password itself.
- Provides Azure role-based access control (Azure RBAC) policies for authoring authorization policies for password retrieval.
- Includes Azure management portal support for retrieving and rotating passwords.
- Helps you manage the feature via Intune!
- Automatically rotates the password after the account is used.
Keep an eye out on the Windows IT Pro Blog for the upcoming public preview announcement of these capabilities!
New capabilities for on-premises Active Directory scenarios
Here’s what you couldn’t previously do with legacy LAPS, which is now available to you on premises:
- Password encryption: Greatly improves security for these sensitive secrets!
- Password history: Gives you the ability to log back into restored backup images.
- Directory Services Restore Mode (DSRM) password backups: Helps keep your domain controllers secure by rotating these critical recovery passwords on a regular basis!
- Emulation mode: Useful if you want to continue using the older LAPS policy settings and tools while preparing to migrate to the new features!
- Automatic rotation: Automatically rotate the password after the account is used.
New features for both Azure AD and on-premises AD scenarios
Take advantage of rich policy management, rotating the Windows LAPS account password in Intune, dedicated event log, new PowerShell module, and hybrid-joined support.
- Rich policy management is now available via both Group Policy and Configuration Service Provider (CSP):
- Group Policy: %windir%/PolicyDefinitions/LAPS.admx
- CSP: ./Device/Vendor/MSFT/LAPS
- Rotating the Windows LAPS account password on demand from Intune portal is very useful when, for example, handling a possible breach issue.
- Dedicated event log is located under Applications and Services. See Logs > Microsoft > Windows > LAPS > Operational for improved diagnostics.
New PowerShell module includes improved management capabilities. For example, you can now rotate the password on demand using the new Reset-LapsPassword cmdlet!
Hybrid-joined devices are fully supported.
How to use LAPS right now
We encourage you to start using the new Windows LAPS feature in your existing deployment with the April 11, 2023 update. You may consider getting started first by leveraging the new emulation mode and then migrate over to the new features in a phased manner. Or you can just jump into the new features right away – we won’t mind! We’ll let you know when the LAPS scenario in Azure AD will shift from private to public preview later in this quarter.
We do strongly recommend adopting the new features in order to take advantage of the new security improvements. Doing this will be much more secure for these sensitive passwords, especially when stored in Active Directory with encryption enabled, or in Azure AD.