Microsoft began rolling out its Patch Tuesday updates yesterday for Windows 10 and Windows 11. One of the items mentioned in Windows 11's changelog was a new Windows Local Administrator Password Solution (LAPS). While Microsoft understandably didn't go into much detail regarding this capability in its changelog, it has published a dedicated blog post describing the change in detail.
For those unaware, prior to today, LAPs was only available as an MSI package that could be manually downloaded from the Microsoft Download Center. It was primarily used by IT admins to secure local admin accounts across deployed Windows devices, recover devices by logging in with a local admin account, and manage identities across Azure Active Directory-joined machines, among many other things.
However, with the latest Patch Tuesday update rolled out yesterday, this variant of LAPS will now be referred to as "Legacy LAPS" as Microsoft has natively integrated the product directly in Windows. The Redmond tech giant says that this has been done due to "popular demand", and that the inbox solution is now available across the following Windows SKUs:
- Windows 11 Pro, EDU, and Enterprise
- Windows 10 Pro, EDU, and Enterprise
- Windows Server 2022 and Windows Server Core 2022
- Windows Server 2019
There are several new features in tow for Windows LAPS too, they are listed below:
- LAPS supports Azure Active Directory (in private preview currently, public preview coming soon)
Retrieves stored passwords via Microsoft Graph.
Creates two new Microsoft Graph permissions for retrieving only the password "metadata" (i.e., for security monitoring apps) or the sensitive cleartext password itself.
Provides Azure role-based access control (Azure RBAC) policies for authoring authorization policies for password retrieval.
Includes Azure management portal support for retrieving and rotating passwords.
Helps you manage the feature via Intune!
Automatically rotates the password after the account is used.
- New capabilities for on-premises Active Directory scenarios
Password encryption: Greatly improves security for these sensitive secrets!
Password history: Gives you the ability to log back into restored backup images.
Directory Services Restore Mode (DSRM) password backups: Helps keep your domain controllers secure by rotating these critical recovery passwords on a regular basis!
Emulation mode: Useful if you want to continue using the older LAPS policy settings and tools while preparing to migrate to the new features!
Automatic rotation: Automatically rotate the password after the account is used.
- New features for both Azure AD and on-premises AD scenarios
Rich policy management is now available via both Group Policy and Configuration Service Provider (CSP)
Rotating the Windows LAPS account password on demand from Intune portal is very useful when, for example, handling a possible breach issue.
Dedicated event log is located under Applications and Services. See Logs > Microsoft > Windows > LAPS > Operational for improved diagnostics.
New PowerShell module includes improved management capabilities. For example, you can now rotate the password on demand using the new Reset-LapsPassword cmdlet!
Hybrid-joined devices are fully supported.
The good thing for IT admins is that both versions of LAPS can currently co-exist but Microsoft has recommended not to use both to configure the same account as it may cause policy conflicts. You can start using the new LAPS on eligible deployments which have installed the April Patch Tuesday updates right now.
2 Comments - Add comment