Security and Compliance
Windows LAPS Overview
Topics: Security and Compliance
Microsoft dropped some interesting new password tech on us earlier this year, and if you haven’t started looking at using this “new” technology, it’s time. In true Microsoft fashion, the “new” technology, Windows LAPS, is really just an improvement in an “old” technology, LAPS.
What is Microsoft LAPS? The Backstory
Microsoft LAPS, if you haven’t heard of it before or didn’t know what it meant, stands for the Microsoft Local Administrator Password Solution. It is a free technology that Microsoft has given away since 2015. LAPS provides the ability to randomize the password for the local Administrator account on Windows workstations and servers. Prior to this solution, many organizations were using one Administrator account with one password throughout their whole environment. This is obviously a problem, because once the account is compromised on one device it’s compromised everywhere.
In the Legacy version of LAPS, group policy controls the process and determines how often the password changes, how complex the password is, and then writes the password to Active Directory so that it can be read back when needed.
New and Improved: Windows LAPS
Windows LAPS (yes, the name changed from Microsoft LAPS to Windows LAPS) is the new password tech on the block. This new LAPS was described as LAPS “Beast Mode” at a presentation during MMSMOA in May of 2023. It earned this Beast mode moniker because it can expand beyond the original LAPS and includes the ability to keep a history of passwords, store passwords in an encrypted state, and add passwords to Azure Active Directory.
In addition, you no longer need additional software to retrieve passwords. You can instead see them directly in the computer information in Active Directory.
Feature Comparison
This new version of LAPS contains new features. Here’s a breakdown of current Legacy LAPS features and new Windows LAPS features.
| Legacy Microsoft LAPS | Modern Windows LAPS | |
| Ability to rotate Administrator Password | Yes | Yes |
| Ability to define username to rotate | Yes | Yes |
| Where is policy defined? | On-prem Group Policy | On-prem Group Policy, Azure Active Directory |
| Is additional software required? | LAPS Client is required to change passwords | Windows LAPS is built into Windows after April 2023 updates |
| How are passwords stored? | Plain Text | Plain Text, Encrypted |
| Is password history retained? | No | Yes, when passwords are encrypted and stored in Active Directory |
| How passwords are retrieved | LAPS retrieval tool, PowerShell, AD attribute | PowerShell, Active Directory Users and Computers |
Supported Windows Versions for Windows LAPS
Windows LAPS supports the Professional, EDU, and Enterprise versions of Windows 10 and 11, Windows Server and Server Core 2022, and Windows Server 2019. Your domain functional level must be at least Windows Server 2016 for password encryption.
Everything you need to configure Windows LAPS is in place following the April 2023 Windows updates including the Group Policy files, the client (now built into Windows), and the settings in Azure Active Directory.
Learn how to set up Windows LAPS with Microsoft Intune here.
Windows LAPS: Quick and Easy Security
LAPS has been the best way to protect local admin passwords for a long time, and the update provided by Windows LAPS improves it significantly. If you are not currently using LAPS, it’s time to take a serious look.
Additional LAPS Resources
Windows LAPS
Microsoft LAPS
