Microsoft started rolling out its Patch Tuesday updates for Windows 10 and Windows 11 yesterday. One of the items mentioned in Windows 11’s changelog was the new Windows Local Administrator Password Solution (LAPS). While Microsoft doesn’t understandably go into much detail about this capability in its changelog, it has published one. Dedicated blog post Describe the change in detail.
For those unfamiliar, prior to today, LAPs were only available as an MSI package that could be manually downloaded from the Microsoft Download Center. It is primarily used to secure local admin accounts in Windows devices deployed by IT admins, recover devices by logging in with a local admin account, and many other things, as well as in machines connected to Azure Active Directory. Used to manage identity.
However, with the latest Patch Tuesday update yesterday, this type of LAPS will now be called “Legacy LAPS” because Microsoft has natively integrated the product directly into Windows. The Redmond tech giant says this is due to “popular demand”, and that the inbox solution is now available on the following Windows SKUs:
- Windows 11 Pro, EDU, and Enterprise
- Windows 10 Pro, EDU, and Enterprise
- Windows Server 2022 and Windows Server Core 2022
- Windows Server 2019
There are also several new features for Windows LAPS, they are listed below:
- LAPS supports Azure Active Directory (currently in private preview, public preview coming soon)
Recovers passwords stored by Microsoft Graph.
Microsoft creates two new Graph permissions to retrieve only password “metadata” (ie for security monitoring apps) or the sensitive cleartext password itself.
Azure Role-Based Access Control (Azure RBAC) provides policies for granting authorization policies for password recovery.
Includes Azure Management Portal support for retrieving and rotating passwords.
Helps you manage features through Intune!
Account automatically rotates password after use.
- New capabilities for on-premises Active Directory scenarios.
Password encryption: greatly improves security for those sensitive secrets!
Password History: Gives you the ability to log back into restored backup images.
Directory Services Restore Mode (DSRM) Password Backup: Helps protect your domain controllers by rotating these critical recovery passwords on a regular basis!
Emulation Mode: Useful if you want to continue using old LAPS policy settings and tools while preparing to migrate to new features!
Auto-Rotate: Automatically rotate passwords after the account is used.
- New features for both Azure AD and on-premises AD scenarios
Rich policy management is now available through both Group Policy and Configuration Service Provider (CSP).
Rotating Windows LAPS account passwords on demand in the Intune portal is very useful when, for example, dealing with a potential breach issue.
The dedicated event log is located under Applications and Services. See Logs > Microsoft > Windows > LAPS > Operational for a better diagnosis.
The new PowerShell module includes improved management capabilities. For example, you can now rotate passwords on demand using the new Reset-LapsPassword cmdlet!
Hybrid joined devices are fully supported.
The good thing for IT admins is that both versions of LAPS currently coexist, but Microsoft recommends not using both to configure the same account because it can create policy conflicts. You can start using the new LAPS on eligible deployments that have just installed the April Patch Tuesday updates.
