Around three weeks ago, Microsoft announced the availability of Windows LAPS (Local Administrator Password Solution) capabilities via the month's Patch Tuesday. The feature is available on Windows 10, Windows 11, and also on servers. At the time, Microsoft didn't share much details on the new LAPS, though today, it has went in-depth and shared how Microsoft Intune can be used for local password management.
Atıl Gürcan, who is a Senior Program Manager, Microsoft 365 CxP (Customer Experience Platform), writes in a Tech Community blog post:
As you may have heard; Windows LAPS feature is released to Public Preview in the last week of April. It has support for two main scenarios for backing up local administrator password such as storing passwords in Azure AD and Windows Server AD. It also has interoperability with legacy LAPS solution. This article on the other hand; will focus on native cloud deployment for Windows 10/11 clients that does not have legacy LAPS client installed, managed through Intune and either Hybrid Azure AD Joined or Azure AD Joined.
In this blog post, I’ll walk you through basic policy configuration and core Windows LAPS functionalities such as accessing local administrator passwords from different consoles and manually triggering password rotation.
The walkthrough covers:
-
Enabling Azure AD Local Administrator Password Feature
-
Creating Local Admin Password Policy
-
Monitoring Policy Application
-
Accessing Local Admin Passwords
You can check the guide article on Microsoft's official website here.
In related news, Microsoft confirmed interoperability issues with legacy LAPS. When legacy LAPS (MSI package) is installed on machines with the latest Patch Tuesday updates installed, both legacy, as well as the new Windows LAPS, breaks. And as apromised, Microsoft announced that it fixed those issues with the latest Windows 11 non-security preview updates. The fix is available for both Windows 11 21H2 (KB5025298) as well as for Windows 11 22H2 (KB5025305).