How to work with the new Windows LAPS feature

What's new with the Windows LAPS feature?

Windows LAPS stores local administrator passwords in the Active Directory and Microsoft's cloud-based identity and access management platform Microsoft Entra ID, formerly known as Azure Active Directory. The previous version of LAPS only worked with Active Directory.

Not only does Windows LAPS protect these administrator account passwords, but it also safeguards enterprises from several types of security risks, including pass the hash attacks. Another improvement over the original Windows LAPS version is that the new version includes a fine-grained security model and supports Azure's Role Based Access Control.

Windows LAPS also debuted password encryption and password history. Organizations that use on-premises Active Directory need to run a Windows Server 2016 domain functional level or later to use the password encryption feature.

Also new in Windows LAPS is the ability to automate the management and storage of passwords for the Directory Services Restore Mode account on the domain controller.

What are the Windows LAPS limitations?

The original LAPS implementation released in 2016 was known as Microsoft LAPS, which Microsoft now refers to as legacy Microsoft LAPS. The current LAPS version is referred to as Windows LAPS. Windows LAPS and Microsoft LAPS cannot manage the same account on the same machine.

Most organizations simply replace the legacy LAPS version with Windows LAPS. Because there is a learning curve with Windows LAPS, Microsoft offers a Microsoft LAPS emulation mode to make Windows LAPS function like the legacy version.

Another option is to use both legacy Microsoft LAPS and Windows LAPS side by side until you are comfortable with the new version. To use both security features on the same machine would require creating a new local administrator account on managed devices with a different name for use with the Windows LAPS policies.

What are the Windows LAPS prerequisites?

Windows LAPS works on the following Windows operating systems that have the April 11, 2023, update or later installed:

• Windows 10.
• Windows 11 22H2.
• Windows Server 2019.
• Windows Server 2022.

Microsoft included the updated Windows LAPS feature through its Windows Updates to integrate it to the OS rather than a separate download.

How to deploy Windows LAPS

There are two options to deploy Windows LAPS. The first option is to use Intune to create a LAPS policy, which gets pushed out to managed Windows devices.

The other option is to push LAPS settings to managed devices via group policy, which is only appropriate when managing domain-joined Windows devices.

How to create the Intune policy for Windows LAPS

To manage Windows LAPS through Intune, start by opening the Microsoft Intune admin center and selecting the Endpoint security tab.

Click on Account protection, then the Create Policy link, shown in Figure 1. The interface will display a prompt to choose a platform and a profile. Set the platform to Windows 10 and later and then set the profile to Local Admin Password Solution (Windows LAPS).

When prompted, give the profile a name and click Next to move to the Configuration settings screen to specify the backup directory, password length and complexity requirements, and other relevant settings.

Click Next to apply a custom scope tag or use the default scope tag.

Click Next again, which opens the Assignments screen and select where to apply the policy.

Click Next to show the screen that displays a summary of the provided configuration options. Take a moment to review these settings. If everything looks good, then click the Create button to build the policy.

How to set up a group policy for Windows LAPS

You can use group policy settings to push Windows LAPS settings to domain-joined devices, but you first need to prepare the Active Directory. More specifically, you must extend the Active Directory schema to support Windows LAPS and then provide the necessary permissions.

It's a good idea to back up Active Directory to roll back the changes if necessary, because extending the Active Directory schema is permanent.

Next, open an elevated PowerShell session on your domain controller and then enter the following command:

Update-LapsADSchema

If an error appears about the command not being recognized, then check that the server has all available updates and confirm its role as a domain controller.

Next, grant the domain-joined computers permission to use Windows LAPS. The easiest way is to grant permission to the Computers container in Active Directory. The command syntax will vary depending on your Active Directory structure.

For the purposes of this tutorial, I created a single-domain forest called Poseylab.com. I ran the following PowerShell command to assign the necessary permissions to the default Computers container in this domain:
Set-LapsADComputerSelfPermission -Identity "CN=Computers,DC=poseylab,DC=com"

Next, configure group policy to push your Windows LAPS policy. Use the Group Policy Management Editor to find the LAPS-related group policy settings in the Computer Configuration > Policies > Administrative Templates > System > LAPS section.

Passwords for local administrator accounts are not going away anytime soon, so the updated Windows LAPS is Microsoft's attempt to make the best of a difficult security situation. This automated process improves the legacy Microsoft LAPS system so it would be worth your while to explore implementing it in your environment.