Windows LAPS now part of the OS; new password security features included

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
• Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
• Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023

LAPS protects local admin accounts with randomly generated passwords and automatically changes them at regular intervals. It stores the passwords in Active Directory, and from there, authorized users can retrieve them. The tool is intended to prevent the use of the same admin password on all PCs.

Although Windows 11 already contained the new version of LAPS in preview 25145, admins did not find this tool in the GA release of either Windows 11 22H2 or Windows 10 22H2. Microsoft is now adding this with KB5025224 (Win11) and KB5025221 (Win10).

New functions

Compared to the LAPS version, which had to be downloaded separately, Windows LAPS adds some new features:

• Passwords stored in AD can be encrypted. In principle, they are protected by attribute permissions, but encryption increases their security in the case of an incorrectly configured ACL. The Enable password encryption group policy activates this feature.
• LAPS can now also manage the passwords of DSRM accounts. They are used for the Directory Service Restore Mode on each domain controller and act as break glass accounts. The prerequisite for this feature is to enable encryption. The group policy for this is called Enable password backup for DSRM accounts.
• The new group policy Configure size of encrypted password history allows you to specify how many passwords are kept in AD (maximum 12; this setting does not apply to passwords in plain text). The history comes in handy when restoring Windows from a backup or reverting to a VM snapshot.
• Automatic password reset with a configurable delay after a user logs in. This purpose is served by the Post-authentication actions setting.

Compatibility with Legacy LAPS

LAPS integration into the operating system offers several advantages:

• The Group Policy client-side extension no longer needs to be installed separately
• The ADMX template is already on board
• The LAPS PowerShell module is automatically available on every PC

However, you can enjoy the advantages of Windows LAPS only if the legacy LAPS is not already in use. If the legacy client-side extension and the corresponding registry entry are present on a PC, Windows LAPS automatically runs in emulation mode.

In this case, you cannot use any of the new features of Windows LAPS. Furthermore, you still have to use the old PowerShell cmdlets for LAPS management. In emulation mode, Windows LAPS also ignores any policies on a domain controller if they are from the old LAPS.

After installing the April update, you should not add the old LAPS to the system under any circumstances, because this might break both versions.

Migrating to Windows LAPS

If companies want to benefit from the new LAPS functions, they must remove the legacy version from the affected PCs. For storing passwords, LAPS always required extending the AD schema using the Update-AdmPwdADSchema cmdlet.

However, Windows LAPS no longer uses the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes for computer objects; it uses msLAPS-Password and msLAPS-Password¬ExpirationTime instead.

In addition, there are new attributes for the encrypted local and DSRM passwords, as well as the password history. Admins must therefore run the Update-LapsADSchema cmdlet, regardless of whether they have deployed legacy LAPS.

Management tools

The LAPS UI, with which you can display the passwords in Active Directory from a workstation, is no longer on board. It has now been replaced by a new tab for computer objects in AD Users and Computers.

Windows LAPS adds a separate tab for Active Directory users and computers

There, admins can read the password for the configured account and set an expiration date for the password. By the way, the old LAPS displayed only the password; you had to know the user name yourself.

Those who have retrieved passwords with an alternative application until now, for example, with the open source tool LAPS WebUI, still can use it in emulation mode. After switching to Windows LAPS, third-party tools will only work again after being updated.

PowerShell

The LAPS module for PowerShell includes cmdlets for all relevant tasks. Their names, as far as they exist at all in the old LAPS, have changed across the board. Microsoft provides the Get-LapsADPassword cmdlet to read passwords from AD.

Windows LAPS has a whole new set of PowerShell cmdlets

Permissions on AD attributes can be administered with Set-LapsADRead¬PasswordPermission, Set-LapsADReset¬PasswordPermission and Find-LapsAD¬ExtendedRights.

Group policy

The preferred tool for managing Windows LAPS is Group Policy. Windows installs laps.admx under %systemroot%\PolicyDefinitions for this purpose. If you use a Central Store for the administrative templates, you have to copy the new LAPS version there first.

Group policies for configuring Windows LAPS

The settings are now located under Computer Configuration => Policies => Administrative Templates => System => LAPS, while for the old version they are located under Computer Configuration => Policies => Administrative Templates => LAPS.

As mentioned above, the expanded functionality of Windows LAPS is reflected in several new settings.

Eventlog

Windows LAPS maintains its own log file under Application and Service Logs > Microsoft > Windows > LAPS > Operational.

Event log for Windows LAPS

If LAPS is running in emulation mode, then there is an entry with ID 10023. Microsoft's documentation provides an overview of the other codes.

Azure AD and Intune

Windows LAPS can use Azure Active Directory (AAD) as an alternative to a local AD to store passwords. In hybrid environments, the preferred directory is selected via the Configure password backup directory group policy.

Group policy for selecting the directory service

The current support for AAD is only available as a private preview and should be generally available in the next preview toward the end of the second quarter of 2023.

Microsoft also implements the settings that exist in Group Policy for Configuration Service Provider (CSP) at ./Device/Vendor/MSFT/LAPS. In this way, Windows LAPS can also be managed via MDM in Intune.

System requirements

To benefit from Windows LAPS, you need one of the following versions of the operating system:

• Windows 11 Pro, EDU, or Enterprise
• Windows 10 Pro, EDU, or Enterprise
• Windows Server 2022 and Windows Server Core 2022
• Windows Server 2019

It should also be noted that password encryption requires the Windows Server 2016 functional level for the AD domain.

As you can see from the list, Windows Server 2016 is not supported, although it still has several years of its lifecycle ahead.

Summary

Microsoft has long recommended using LAPS to secure local admin accounts. Until now, however, companies have had to download this tool separately and install the client components on each device.

Windows LAPS removes these hurdles by integrating all the required components into the operating system. These include the client-side extension for Group Policy, the ADMX template, and the PowerShell module.

For users of the previous LAPS, however, migration to the new version will involve some effort, as they will have to remove existing installations. In addition, they will have to extend the AD schema again since Windows LAPS requires new attributes.

Users of Windows Server 2016 will be left out.