Table of Contents
- What is Windows LAPS
- Technical Requirements
- License requirements
- Do you need to Extend the AD Schema for Hybrid Scenario?
- Skill Requirements
- Custom local administrator account
- How to check Intune Version needed
- Legacy LAPS Interop issues with the April 11 2023 Update
- How to enable Windows LAPS with Azure AD (preview)
- What is Windows LAPS management through Microsoft Intune?
- How does it work
- Audit logs
What is Windows LAPS
Exciting News! New Built-in LAPS Client for Windows 11 and 10 and Windows Server 2019 and 2022!
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices.
You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.
This is like the old “legacy” LAPS solution from Microsoft, but now build-in and not an .MSI installer you need to install on any device you will use LAPS on!
There is a nice behind the scene documentation about Windows LAPS here: Key concepts in Windows LAPS | Microsoft Learn
Benefits of using Windows LAPS
Use Windows LAPS to regularly rotate and manage local administrator account passwords and get these benefits:
- Protection against pass-the-hash and lateral-traversal attacks
- Improved security for remote help desk scenarios
- Ability to sign in to and recover devices that are otherwise inaccessible
- A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory
- Support for the Azure role-based access control model for securing passwords that are stored in Azure Active Directory
Key Windows LAPS scenarios
You can use Windows LAPS for several primary scenarios:
- Back up local administrator account passwords to Azure Active Directory (for Azure Active Directory-joined devices)
- Back up local administrator account passwords to Windows Server Active Directory (for Windows Server Active Directory-joined clients and servers)
- Back up DSRM account passwords to Windows Server Active Directory (for Windows Server Active Directory domain controllers)
- Back up local administrator account passwords to Windows Server Active Directory by using legacy Microsoft LAPS
In each scenario, you can apply different policy settings.
LAPS is available to all customers with Azure AD Free or higher licenses (yes, you head right!).
Other related features like administrative units, custom roles, Conditional Access, and Intune have other licensing requirements like Azure AD Premium Plan 1.
But of cource you need an Microsoft Intune Plan 1 or higher to use Intune 😉
An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com/.
Windows LAPS is now available on the following OS platforms with the specified update or later installed:
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 – April 11 2023 Update
- Windows Server 2022 and Windows Server Core 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
The Windows LAPS on-premises Active Directory scenarios are also fully supported as of the above updates – nice right?
A role with the microsoft.directory/deviceLocalCredentials/password/read permission is required to view the local administrator password. This permission is part of the following roles:
- Global Administrator
- Intune Administrator
- Cloud Device Administrator
Do you need to Extend the AD Schema for Hybrid Scenario?
Yes, you need to extend the AD schema for Hybrid scenarios. But if you are only looking to support Azure AD joined scenarios, then Schema extension is not needed.
Small experience with Azure AD, Intune and PowerShell
For all PowerShell Cmdlets, there is a nice overview here: Use Windows LAPS PowerShell cmdlets | Microsoft Learn
Custom local administrator account
If you configure Windows LAPS to manage a custom local administrator account, you must ensure that the account is created. Windows LAPS doesn’t create the account. It´s recommend that you use the Accounts CSP to create the account.
Microsoft has publiched a video there take a look at the experiences available with Intune to manage Windows LAPS. For a demonstration of the admin experience described in this blog, you can watch this video also: https://aka.ms/Intune/Windows-LAPS-video
How to check Intune Version needed
Windows LAPS is a feature there is comming in Intune Service Release 2304 – the April Update in 2023.
- Sign in to the Microsoft Intune admin center at https://intune.microsoft.com.
- Navigate to Tenant Administration and select Tenant Status.
In the Intune console, admins can configure a laps policy to choose which directory you want to back up the local admin password to you have the choice to configure settings related to password complexity rotation schedule and targeted to devices in their environment.
You can monitor the success of policies assigned to devices using intunes default reports, and admins can also choose to manually rotate the local admin password on a given device if you want to do this outside of the scheduled rotation with the right permissions, you can view the password itself and even see when the last and the next rotation is set to happen.
Legacy LAPS Interop issues with the April 11 2023 Update
The April 11, 2023 update has two potential regressions related to interoperability with legacy LAPS scenarios. Please read the following to understand the scenario parameters plus possible workarounds.
Issue #1: If you install the legacy LAPS CSE on a device patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will enter a broken state where neither feature will update the password for the managed account. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue.
Two primary workarounds exist for the above issue:
a. Uninstall the legacy LAPS CSE (result: Windows LAPS will take over management of the managed account)
b. Disable legacy LAPS emulation mode (result: legacy LAPS will take over management of the managed account)
Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce\honor the legacy LAPS policy, which may be disruptive (for example if done during OS deployment workflow). Disable legacy LAPS emulation mode may also be used to prevent those issues.
How to enable Windows LAPS with Azure AD (preview)
To enable Windows LAPS with Azure AD, you must take actions in Azure AD and the devices you wish to manage. I recommend organizations to manage Windows LAPS using Microsoft Intune. However, if your devices are Azure AD joined but you’re not using Microsoft Intune or Microsoft Intune isn’t supported (like for Windows Server 2019/2022), you can still deploy Windows LAPS for Azure AD manually. For more information, see the article Configure Windows LAPS policy settings.
Note: You may not have to do this once the product is out of Public Preview.)
- Sign in to the Azure portal as a Cloud Device Administrator.
- Browse to Azure Active Directory > Devices > Device settings
- Select Yes for the Enable Local Administrator Password Solution (LAPS) setting and select Save. (defaut is “No“).
You may also use the Microsoft Graph API Update deviceRegistrationPolicy.
- Configure a client-side policy and set the BackUpDirectory to be Azure AD.
What is Windows LAPS management through Microsoft Intune?
How does it work
Managing Windows LAPS policies with Intune
Admins can configure Windows LAPS settings and policyes through the dedicated policy template found in the Microsoft Intune admin center > Endpoint security > Account protection > Windows 10 and Later > Local admin password solution (Windows LAPS) (preview). From there, settings taken from the LAPS configuration service provider (CSP) are available for configuration.
Admins can choose which directory you will backup local administrator password to (Azure AD or On-prem Active Directory), which will dictate the available configuration settings. Admins can configure settings related to password complexity and length to, as well as specify the admin account name and behavior for post authentication actions.
Here is a screenshot of the Create profile, configuration settings for Windows LAPS when selecting Azure AD as the backup directory on the Endpoint security page.
A screenshot of the Create profile, configuration settings for Windows LAPS when selecting Active Directory as the backup directory on the Endpoint security page.
Once complete, admins can target the policy to their Azure AD groups or devices and view the success or errors through Intune’s policy reporting experience. Permissions to create or manage the Windows LAPS policy follow suit with the Security baseline permissions that are applicable to all policy templates in Endpoint security.
Below I will review the different configuration options that are available. Microsoft also maintains documentation for all settings here.
Backup Directory: Allows you to backup the Local Administrator password to Azure Active Directory or Active Directory.
Administrator Account Name: If configured, the specified account’s password will be managed via the policy. If not specified, the default built-in local administrator account will be located by well-known SID (even if it has been renamed) (the build-in Administrator account is disabled by default on AAD joined devices!)
Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.
Password Complexity: Allows an IT admin to configure password complexity of the managed local administrator account.
Password Length: Configure the length of the password. By default the value is 14, the minimum value is 8 and maximum value is 64.
Post Authentication Actions: This setting specifies what LAPS should do with the account after a successful authentication. By default it will log off the managed account and reset the password.
Post Authentication Reset Delay: How long it will wait until it performs the Post Authentication Action that we specified above. Default is 24 hours.
NOTE: if you’re choosing between different types of policies, the more restrictive one will take precedence over others. Specifically, the order of precedence is MDM > GPO > Local > Legacy LAPS.
Viewing the local admin password for a specific device
Admins can select a specific device under Devices > All devices and have the option to view the local admin password for the selected device. They can select the option under Monitor > Local admin password, which will surface the same information also available through the Azure portal. With the right permissions, admins can view the metadata related to the device’s password schedule (last rotation, next rotation, account name) and, with the ritge permissions, retrieve the current local admin password by selecting the Show button.
If admins don’t have the correct permissions, they won’t be able to view the relevant information. This information is controlled by the deviceLocalCredentials.Read.All permissions that are specific to Global Admin, Cloud Device Admin, and Intune Admin, which only allows them to recover the Windows LAPS password – so if you not have one of this roles, you can not get the password.
Using device actions to rotate a local admin password
If an admin wishes to rotate the local admin password outside of the schedule rotation interval, they can leverage the Intune device action framework. By selecting a supported device, the option to Rotate local admin password is available and can be initiated. This will trigger a device action, which then shows the status to the admin on the Device page. Once complete, the rotation timestamp will be updated, and the new password will be available.
This is only applicable to devices that have Windows LAPS policies targeted to them and have the backup directory set to Active Directory or Azure AD. If not supported on the device, this will return as an error.
This capability is controlled by the new Remote tasks > Rotate local admin password permission found through Intune tenant administration.
Admins can use Azure AD audit logs to view auditing events related to managing the local admin password.
To view audit events, you can browse to Azure Active Directory > Devices > Audit logs, then use the Activity filter and search for Update device local administrator password or Recover device local administrator password to view the audit events.
See Audit logs in Azure Active Directory to learn more.
For troubleshooting, there is information here about event id´s and other tips there is a nice overview here: Windows LAPS troubleshooting guidance – Windows Server | Microsoft Learn
Event viewer on device
Windows LAPS activities are stored in the Event Viewer of the device.
Open Event Viewer > Application and Services Logs > Microsoft > Windows > LAPS to track the activities.
I think this is super nice, and finaly build-in Windows! There is some new smart features also, so test it out!
An post about Windows LAPS (On-prem setup) is comming soon! 🔐
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Stay tuned for the new post about something cool! 🥳