What is the new Windows LAPS in the Cloud?
Windows LAPS is a new Microsoft feature that allows automatic management and backup of local administrator passwords on devices joined to Azure Active Directory or Windows Server Active Directory. This feature is designed to regularly rotate the password of a specified local administrator account and store the backup in Azure Active Directory or Active Directory for added security. Furthermore, the recent introduction of a cloud-based feature has made Windows LAPS management even more popular because it’s implemented in the cloud.
One of the primary distinctions between Windows LAPS and the legacy Microsoft LAPS is that Windows LAPS is an independent implementation that is integrated into the Windows operating system. Additionally, Windows LAPS offers several features that were not available in the previous version of Microsoft LAPS. These features include the ability to store password backups in Azure Active Directory, encrypt passwords in Windows Server Active Directory, and maintain password history. If you are familiar with Microsoft LAPS, you will find many similar features in Windows LAPS.
Windows LAPS benefits:
- You can use Windows LAPS to sign in to and recover devices that are otherwise inaccessible.
- Windows LAPS enhances security for remote help desk scenarios.
- Azure RBAC access support.
- Pass-the-hash protection.
- No need to install MSI file to get Windows LAPS.
When to use Windows LAPS?
- Backup the local administrator password to AAD or AD.
- Backup DSRM account.
- Rotate password for administrator accounts
Windows client requirements:
Windows LAPS has the following operating system requirements:
- Windows 11 22H2 – April 11 2023 Update
- Windows 11 21H2 – April 11 2023 Update
- Windows 10 – April 11 2023 Update
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
Exclaimer: Be careful I lost a lot of time when I was testing this feature just because I did not check my Windows version 🙂
How to deploy Windows LAPS for Azure Joined Devices via Intune?
Enable Azure AD Local Administrator Password Solution (LAPS).
Create Endpoint Security | Account Protection policy.
Choose a name for Endpoint security policy.
Configuration Settings (In this example, we only enable to backup the password to Azure AD and the maximum password age of the managed local administrator account).
But there are different options:
- Administrator Account Name: Â The name of the managed local administrator account (custom local administrator account not built in).
- Password Complexity: Password complexity of the managed local administrator account.
- Password Length: Password length of the managed local administrator account.
- Post Authentication Actions: The actions to take upon expiration of the configured grace period.
- Post Authentication Reset Delay: Amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
Choose assignments to deploy.
Check the status report.
Check the password of local administrator account in Intune.
Manually rotate local admin password.
See Yaa in next blog posts 🙂