Security: The 10 most essential details about the new Windows LAPS solution

The Local Administrator Password Solution (LAPS) from Microsoft has been around since 2015 and I have always liked using it because it was quite easy to implement and manage. Unfortunately, Azure AD (Cloud Only) support was missing and LAPS could only be used with an on-premises Active Directory. Therefore, in a cloud only environment, you had to use alternatives such as the community solution CloudLAPS. Fortunately, Microsoft is working on a new LAPS solution with the name Windows LAPS that finally offers the long-awaited support for cloud-only devices.

This blog article presents the 10 most essential details about the new Windows LAPS solution.

  1. #1 Operating System Integration
  2. #2 Supported scenarios
  3. #3 Supported platforms
  4. #4 Architecture
  5. #5 New Features
  6. #6 Management & Configuration
  7. #7 Legacy Support
  8. #9 Release Date
  9. #10 Documentation, session and demos

#1 Operating System Integration

Windows LAPS will be directly integrated into Windows. No extra steps are required to install the feature. Therefore, it will no longer be necessary to distribute the LAPS MSI package.

#2 Supported scenarios

Windows LAPS will now support cloud-only devices and offer a cloud-based management experience. On-premises environments continue to be supported as well as hybrid-joined devices.

#3 Supported platforms

Windows LAPS is supported on desktop Windows, Windows Server, and Windows Server Core. Windows LAPS is expected to support Windows 11 only. However, it is possible that Windows 10 support will still be added, but this has not yet been finally decided by Microsoft. As for the server platforms, servers 2022 and 2019 are expected to be supported, but nothing has been finally decided there either.

#4 Architecture

Windows LAPS is composed of 3 key binaries:

  1. laps.dll for core logic
  2. lapscsp.dll for configuration service provider (CSP) logic
  3. lapspsh.dll for PowerShell cmdlet logic

After the managed device is configured with a policy that enables Windows LAPS, the device begins to manage the configured local account password. When the password expires, the device generates a new, random password that’s compliant with the current policy’s length and complexity requirements.

When a new password is validated, the device stores the password in the configured directory, either:

  • Windows Server Active Directory
    • Secured via access control lists (ACLs) and also optionally via (AES-256) password encryption.
    • The password can be retrieved either via AD User & Computers snap-in or PowerShell.
  • Azure Active Directory
    • Secured via a role-based access control model. By default, only members of the Global Administrator, Cloud Device Administrator, and Intune Administrator roles can retrieve the password
    • The password can be retrieved using PowerShell and Microsoft Graph.

The password is only stored in one directory at a time, not both.

#5 New Features

Windows LAPS offers several new features:

Windows LAPS for Azure Active Directory Features Windows LAPS for Windows Server Active Directory
Store passwords in Microsoft Azure (on Azure device object)New Group Policy object and AD schema attributes
Cloud-based management experience
– Passwords retrieved via Microsoft Graph
– Settings configuration via Microsoft Intune
– On-demand password rotation via Microsoft Intune
Account name stored side-by-side with password
Automatic password reset on use (client-driven)Automatic password reset on use (client-driven)
Support for password encryption (requires WS2016 DFL)
Password history support for encrypted passwords
Support for managing DSRM account passwords on domain controllers
New PowerShell module
New LAPS property page in AD User & Computers snap-in
New Windows LAPS Features
How to retrieve the password when connected to Microsoft Graph
Source: Microsoft
New LAPS property page in AD User & Computers snap-in
Source: Microsoft

#6 Management & Configuration

Depending on the scenario and environment, different management & configuration options are offered:

EnvironmentMangement & Configuration
Azure Active Directory-joined devices (Cloud Only)Microsoft Intune (CSP)
Windows Server Active Directory-joined devices (On-Premises)Group Policy (GPO)
Hybrid Azure Active Directory-joined devicesMicrosoft Intune (CSP)
Windows LAPS configuration options
Microsoft Intune Configuration
Source: Microsoft
Group Policy Configuration
Source: Microsoft

#7 Legacy Support

The Local Administrator Password Solution (LAPS) developed in 2015 will still be available and supported. Microsoft now calls the former solution legacy Microsoft LAPS.

#8 Migration

With the legacy Microsoft LAPS emulation mode it will be easy to migrate to the latest version of Windows LAPS.

#9 Release Date

Windows LAPS currently is available only in Windows 11 Insider Preview Build 25145 and later. Support for the Windows LAPS Azure Active Directory scenario currently is limited to a small number of Windows Insider users.

Windows LAPS is expected to become generally available in Q1 2023.

#10 Documentation, session and demos

The following documentation, session and demos are already available:

Windows LAPS Preview Documentation:
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview

Microsoft Technical Takeoff Session:
Managing local admin account passwords in AD and Azure AD

Windows LAPS Demos:
Modern LAPS: managing in both AD and Azure AD
LAPS: Domain joined scenario
LAPS: Domain controller scenario 
LAPS: Legacy LAPS emulation scenario

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s