Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.
As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.
Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and configure it together, and also discuss the settings:
You need to create a policy which I am not going to go into details in this because most of you are using LAPS v1 Endpoint Security > Account Protection> Create Policy>
Platform: Windows
Profile: Local admin password solution (Windows LAPS)
Then, name the policy, and let us move to the settings
Backup Directory: You can choose between Disable or Enable. If you enable it, you can choose either AAD or AD.
Password Age Days: Determine how many days the age of LAPS should be set before it changes; you can choose a value between 7 and 365. If you do not configure this value, the default will be 30 days.
Administrator Account Name: This setting can be tricky, I think Microsoft needs to add a better explanation
If you still have the “Administrator” account active and not disabled, or if you’ve changed it to another name, you can add the custom name here so LAPS can target it. Even if you don’t, LAPS can find the Admin account based on SID.
NOTE:- This setting is not going to create a custom Admin name for you or a replace the Admin name, if you want that leave this setting on “Not configure” then we do it later.
Password Complexity: You have 9 options for this setting. Use this setting to configure the password complexity of the managed local administrator account. The allowable settings are:
1=Large letters
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters (default)
5=Large letters + small letters + numbers + special characters (improved readability)
6=Passphrase (long words)
7=Passphrase (short words)
8=Passphrase (short words with unique prefixes)
9=Notconfigure
If not specified, this setting will default to 4.
Passphrase Length: You can select between 3 and 10 phrases; the default is 6 phrases. I chose 9. If you count the phrases below, you will see there are 9 words that start with an uppercase. No worries, this is an old LAPS and has been changed 😊
Password Length: This is for LAPS, which runs between 8 -64 characters; the default is 14 characters.
Post Authentication Actions: This security setting is really a great security setting. Once the LAPS expires, you can specify the actions to take upon the expiration of the configured grace period. If not specified, this setting will default to 3 (Reset the password and log off the managed account). I configure the most restricted one, which resets the password, terminates any process, and logs off any session.
Post Authentication Reset Delay: Choose between 0 and 24 hours to delay the post-authentication action you selected above. Note that 0 = Disabled.
Automatic Account Management Enabled: Here you can choose if you want to manage the target account or not.
Automatic Account Management Enable Account: Choose if you want the target account to be automatically enabled or disabled.
Automatic Account Management Randomize Name: Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated. If this setting is enabled, the name of the target account will use a random numeric suffix. If this setting is disabled, the name of the target account will not use a random numeric suffix. In my case, I use a random numeric suffix every time I rotate the LAPS, which will change the suffix after the name as well.
For example, my test LAPS’s name is “LAPSTEST2” + suffix, after I rotated LAPS the target account has changed the suffix as well.
Automatic Account Management Name Or Prefix: Finally, here you can choose your account name.
Before we check the logs, you need to target a group of devices and do.
Registry Key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies
If you are using a new device, you have not configured LAPS before, you cannot see LAPS because it does not exist, like the screenshot below.
Once you deploy it and the policy is applied, you will get this RegKey
In the screenshot above you can see cleary all the settings we configured it in Intune, we can see same thing here in Registry Key.
Logs: let us check the Event viewer logs for LAPS which can be found under Applications and Services Logs> Microsoft> Windows> LAPS> Operational
LAPS account has been created in the screenshot below
Event ID 10010 shows LAPS has been backed up to Entra ID “previously known as AAD”
Let me also share some important LAPS Event IDs:-
1000
1002
1003
1004
10020
10029
Other LAPS Event IDs I don’t have them on my test device but really important to have them like:-
A failed cycle is tracked with a 10005 event
When the policy is configured to back up the password to Windows Server Active Directory, a 10021 event is logged.
For more information, review Microsoft Docs.
Thanks for reading, and I hope this may help you configure the New LAPS for Windows 11 24H2.