The Local Administrator Password Solution (LAPS) from Microsoft has been around since 2015 and I have always liked using it because it was quite easy to implement and manage. Unfortunately, Azure AD (Cloud Only) support was missing and LAPS could only be used with an on-premises Active Directory. Therefore, in a cloud only environment, you had to use alternatives such as the community solution CloudLAPS. Fortunately, Microsoft is working on a new LAPS solution with the name Windows LAPS that finally offers the long-awaited support for cloud-only devices.
This blog article presents the 10 most essential details about the new Windows LAPS solution.
- #1 Operating System Integration
- #2 Supported scenarios
- #3 Supported platforms
- #4 Architecture
- #5 New Features
- #6 Management & Configuration
- #7 Legacy Support
- #9 Release Date
- #10 Documentation, session and demos
#1 Operating System Integration
Windows LAPS will be directly integrated into Windows. No extra steps are required to install the feature. Therefore, it will no longer be necessary to distribute the LAPS MSI package.
#2 Supported scenarios
Windows LAPS will now support cloud-only devices and offer a cloud-based management experience. On-premises environments continue to be supported as well as hybrid-joined devices.
#3 Supported platforms
Windows LAPS is supported on desktop Windows, Windows Server, and Windows Server Core. Windows LAPS is expected to support Windows 11 only. However, it is possible that Windows 10 support will still be added, but this has not yet been finally decided by Microsoft. As for the server platforms, servers 2022 and 2019 are expected to be supported, but nothing has been finally decided there either.
Windows LAPS is composed of 3 key binaries:
- laps.dll for core logic
- lapscsp.dll for configuration service provider (CSP) logic
- lapspsh.dll for PowerShell cmdlet logic
After the managed device is configured with a policy that enables Windows LAPS, the device begins to manage the configured local account password. When the password expires, the device generates a new, random password that’s compliant with the current policy’s length and complexity requirements.
When a new password is validated, the device stores the password in the configured directory, either:
- Windows Server Active Directory
- Secured via access control lists (ACLs) and also optionally via (AES-256) password encryption.
- The password can be retrieved either via AD User & Computers snap-in or PowerShell.
- Azure Active Directory
- Secured via a role-based access control model. By default, only members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles can retrieve the password
- The password can be retrieved using PowerShell and Microsoft Graph.
The password is only stored in one directory at a time, not both.
#5 New Features
Windows LAPS offers several new features:
|Windows LAPS for Azure Active Directory Features||Windows LAPS for Windows Server Active Directory|
|Store passwords in Microsoft Azure (on Azure device object)||New Group Policy object and AD schema attributes|
|Cloud-based management experience|
– Passwords retrieved via Microsoft Graph
– Settings configuration via Microsoft Intune
– On-demand password rotation via Microsoft Intune
|Account name stored side-by-side with password|
|Automatic password reset on use (client-driven)||Automatic password reset on use (client-driven)|
|Support for password encryption (requires WS2016 DFL)|
|Password history support for encrypted passwords|
|Support for managing DSRM account passwords on domain controllers|
|New PowerShell module|
|New LAPS property page in AD User & Computers snap-in|
#6 Management & Configuration
Depending on the scenario and environment, different management & configuration options are offered:
|Environment||Mangement & Configuration|
|Azure Active Directory-joined devices (Cloud Only)||Microsoft Intune (CSP)|
|Windows Server Active Directory-joined devices (On-Premises)||Group Policy (GPO)|
|Hybrid Azure Active Directory-joined devices||Microsoft Intune (CSP)|
#7 Legacy Support
The Local Administrator Password Solution (LAPS) developed in 2015 will still be available and supported. Microsoft now calls the former solution legacy Microsoft LAPS.
With the legacy Microsoft LAPS emulation mode it will be easy to migrate to the latest version of Windows LAPS.
#9 Release Date
Windows LAPS currently is available only in Windows 11 Insider Preview Build 25145 and later. Support for the Windows LAPS Azure Active Directory scenario currently is limited to a small number of Windows Insider users.
Windows LAPS is expected to become generally available in Q1 2023.
#10 Documentation, session and demos
The following documentation, session and demos are already available:
Windows LAPS Preview Documentation:
Microsoft Technical Takeoff Session:
Managing local admin account passwords in AD and Azure AD
Windows LAPS Demos:
Modern LAPS: managing in both AD and Azure AD
LAPS: Domain joined scenario
LAPS: Domain controller scenario
LAPS: Legacy LAPS emulation scenario
Pingback: Security: Getting to Know Windows LAPS for Active Directory- First Look | Gobisweb