With the cumulative update for April 2023, Microsoft delivers the Local Administrator Password Solution (LAPS) as a system component for the first time. The updated version uses different attributes in AD and introduces new PowerShell cmdlets. Admins must remove the legacy LAPS to benefit from the new features.

LAPS protects local admin accounts with randomly generated passwords and automatically changes them at regular intervals. It stores the passwords in Active Directory, and from there, authorized users can retrieve them. The tool is intended to prevent the use of the same admin password on all PCs.

Although Windows 11 already contained the new version of LAPS in preview 25145, admins did not find this tool in the GA release of either Windows 11 22H2 or Windows 10 22H2. Microsoft is now adding this with KB5025224 (Win11) and KB5025221 (Win10).

New functions

Compared to the LAPS version, which had to be downloaded separately, Windows LAPS adds some new features:

  • Passwords stored in AD can be encrypted. In principle, they are protected by attribute permissions, but encryption increases their security in the case of an incorrectly configured ACL. The Enable password encryption group policy activates this feature.
  • LAPS can now also manage the passwords of DSRM accounts. They are used for the Directory Service Restore Mode on each domain controller and act as break glass accounts. The prerequisite for this feature is to enable encryption. The group policy for this is called Enable password backup for DSRM accounts.
  • The new group policy Configure size of encrypted password history allows you to specify how many passwords are kept in AD (maximum 12; this setting does not apply to passwords in plain text). The history comes in handy when restoring Windows from a backup or reverting to a VM snapshot.
  • Automatic password reset with a configurable delay after a user logs in. This purpose is served by the Post-authentication actions setting.

Compatibility with Legacy LAPS

LAPS integration into the operating system offers several advantages:

  • The Group Policy client-side extension no longer needs to be installed separately
  • The ADMX template is already on board
  • The LAPS PowerShell module is automatically available on every PC

However, you can enjoy the advantages of Windows LAPS only if the legacy LAPS is not already in use. If the legacy client-side extension and the corresponding registry entry are present on a PC, Windows LAPS automatically runs in emulation mode.

In this case, you cannot use any of the new features of Windows LAPS. Furthermore, you still have to use the old PowerShell cmdlets for LAPS management. In emulation mode, Windows LAPS also ignores any policies on a domain controller if they are from the old LAPS.

After installing the April update, you should not add the old LAPS to the system under any circumstances, because this might break both versions.

Migrating to Windows LAPS

If companies want to benefit from the new LAPS functions, they must remove the legacy version from the affected PCs. For storing passwords, LAPS always required extending the AD schema using the Update-AdmPwdADSchema cmdlet.

However, Windows LAPS no longer uses the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes for computer objects; it uses msLAPS-Password and msLAPS-Password¬ExpirationTime instead.

In addition, there are new attributes for the encrypted local and DSRM passwords, as well as the password history. Admins must therefore run the Update-LapsADSchema cmdlet, regardless of whether they have deployed legacy LAPS.

Management tools

The LAPS UI, with which you can display the passwords in Active Directory from a workstation, is no longer on board. It has now been replaced by a new tab for computer objects in AD Users and Computers.

Windows LAPS adds a separate tab for Active Directory users and computers

Windows LAPS adds a separate tab for Active Directory users and computers

There, admins can read the password for the configured account and set an expiration date for the password. By the way, the old LAPS displayed only the password; you had to know the user name yourself.

Those who have retrieved passwords with an alternative application until now, for example, with the open source tool LAPS WebUI, still can use it in emulation mode. After switching to Windows LAPS, third-party tools will only work again after being updated.

PowerShell

The LAPS module for PowerShell includes cmdlets for all relevant tasks. Their names, as far as they exist at all in the old LAPS, have changed across the board. Microsoft provides the Get-LapsADPassword cmdlet to read passwords from AD.

Windows LAPS has a whole new set of PowerShell cmdlets

Windows LAPS has a whole new set of PowerShell cmdlets

Permissions on AD attributes can be administered with Set-LapsADRead¬PasswordPermission, Set-LapsADReset¬PasswordPermission and Find-LapsAD¬ExtendedRights.

Group policy

The preferred tool for managing Windows LAPS is Group Policy. Windows installs laps.admx under %systemroot%\PolicyDefinitions for this purpose. If you use a Central Store for the administrative templates, you have to copy the new LAPS version there first.

Group policies for configuring Windows LAPS

Group policies for configuring Windows LAPS

The settings are now located under Computer Configuration => Policies => Administrative Templates => System => LAPS, while for the old version they are located under Computer Configuration => Policies => Administrative Templates => LAPS.

As mentioned above, the expanded functionality of Windows LAPS is reflected in several new settings.

Eventlog

Windows LAPS maintains its own log file under Application and Service Logs > Microsoft > Windows > LAPS > Operational.

Event log for Windows LAPS

Event log for Windows LAPS

If LAPS is running in emulation mode, then there is an entry with ID 10023. Microsoft's documentation provides an overview of the other codes.

Azure AD and Intune

Windows LAPS can use Azure Active Directory (AAD) as an alternative to a local AD to store passwords. In hybrid environments, the preferred directory is selected via the Configure password backup directory group policy.

Group policy for selecting the directory service

Group policy for selecting the directory service

The current support for AAD is only available as a private preview and should be generally available in the next preview toward the end of the second quarter of 2023.

Microsoft also implements the settings that exist in Group Policy for Configuration Service Provider (CSP) at ./Device/Vendor/MSFT/LAPS. In this way, Windows LAPS can also be managed via MDM in Intune.

System requirements

To benefit from Windows LAPS, you need one of the following versions of the operating system:

  • Windows 11 Pro, EDU, or Enterprise
  • Windows 10 Pro, EDU, or Enterprise
  • Windows Server 2022 and Windows Server Core 2022
  • Windows Server 2019

It should also be noted that password encryption requires the Windows Server 2016 functional level for the AD domain.

As you can see from the list, Windows Server 2016 is not supported, although it still has several years of its lifecycle ahead.

Summary

Microsoft has long recommended using LAPS to secure local admin accounts. Until now, however, companies have had to download this tool separately and install the client components on each device.

Windows LAPS removes these hurdles by integrating all the required components into the operating system. These include the client-side extension for Group Policy, the ADMX template, and the PowerShell module.

Subscribe to 4sysops newsletter!

For users of the previous LAPS, however, migration to the new version will involve some effort, as they will have to remove existing installations. In addition, they will have to extend the AD schema again since Windows LAPS requires new attributes.

Users of Windows Server 2016 will be left out.

avataravatar
11 Comments
  1. Nizam 6 months ago

    This is great news. Can’t wait to implement, thanks!

    avatar
  2. David 5 months ago

    What if you still have Server 2016 in your estate and want to implement this for eveything else Windows 10 and 11, Server 2019 and 2022?

  3. Jesse 5 months ago

    So If I am using Windows 2016 Server DC and Legacy Laps, it should not break correct? As long as I keep using Legacy-LAPS.

  4. enkachu 5 months ago

    This update is just ingenious.

  5. Michael 5 months ago

    Still not seeing LAPS under “Administrative Templates\System” in my GPMC but i am still seeing the legacy one under “Administrative Templates”

  6. Michael 5 months ago

    figured it out, this can be ignored. would like to see an update to this aticle however and show how to set this up in Endpoint Manage\Intune

    • Nizam 5 months ago

      I agree! That hopefully will be a much better implementation versus scripting that is currently giving me difficulty.

  7. Ben 3 months ago

    I am running a 2016 Domain Level forest with x1 2019 Domain Controller and x2 2016 Domain Controllers.

    I had to move the LAPS.admx and LAPS.adml files to the central repository and now LAPS shows up in GPO under Admin Templates but I am only seeing 4 GPO settings compared to the 10 options that you have. Any idea what I could be doing wrong? I made sure the DC’s have the April update.

  8. David 3 months ago

    To Ben
    New update is not included with 2016 unfortunately.
    If you check via GPMC on the 2019 DC you should see all the options.

  9. Robert 2 months ago

    I currently have on 2022 DC and two 2016 DCs. We are going to replace those with 2022. All my other servers (Exchange, File, Print) all are 2016. Do these need to be upgraded as well?

    Thanks.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account