Events
29 Apr, 2 pm - 30 Apr, 7 pm
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.
Windows LAPS is available on the following OS platforms:
All supported editions of the above platforms have been updated with Windows LAPS, including LTSC editions. The introduction of the Windows LAPS feature doesn't modify in any way whatsoever the standard Microsoft product lifecycle policies.
Windows LAPS with Microsoft Entra ID and Microsoft Intune support is now in General Availability as of October 23 2023. For more information, see Windows Local Administrator Password Solution with Microsoft Entra ID now Generally Available!, and Windows Local Administrator Password Solution in Microsoft Entra ID.
Use Windows LAPS to regularly rotate and manage local administrator account passwords and get these benefits:
The following videos offer an informative way to learn more about the Windows LAPS feature.
Windows Technical Takeoff presentation (November 2022):
Windows Tackling Tech discussion (August 2023):
You can use Windows LAPS for several primary scenarios:
Back up local administrator account passwords to Microsoft Entra ID (for Microsoft Entra-joined devices)
Back up local administrator account passwords to Windows Server Active Directory (for Windows Server Active Directory-joined clients and servers)
Back up DSRM account passwords to Windows Server Active Directory (for Windows Server Active Directory domain controllers)
Back up local administrator account passwords to Windows Server Active Directory by using legacy Microsoft LAPS
In each scenario, you can apply different policy settings.
Whether a device is joined to Microsoft Entra ID or Windows Server Active Directory determines how you can use Windows LAPS.
Devices that are joined only to Microsoft Entra ID can back up passwords only to Microsoft Entra ID.
Devices that are joined only to Windows Server Active Directory can back up passwords only to Windows Server Active Directory.
Devices that are hybrid-joined (joined to both Microsoft Entra ID and Windows Server Active Directory) can back up their passwords either to Microsoft Entra ID or to Windows Server Active Directory. You can't back up passwords to both Microsoft Entra ID and Windows Server Active Directory.
Windows LAPS doesn't support Microsoft Entra workplace-joined clients.
To set up and manage policy for your Windows LAPS deployment, you have multiple options:
You also have various options to manage and monitor Windows LAPS.
Options for Windows include:
Azure-based monitoring and reporting solutions are available when you back up passwords to Microsoft Entra ID.
Important
NOTE: The legacy Microsoft LAPS product is deprecated as of Windows 11 23 H2 and later. Installation of the legacy Microsoft LAPS MSI package is blocked on newer OS versions, and Microsoft will no longer consider code changes for the legacy Microsoft LAPS product.
Please use Windows LAPS, available on Windows Server 2019 and above, and on supported Windows 10 and Windows 11 clients, for managing local administrator account passwords.
Microsoft will continue to support the legacy Microsoft LAPS product on older versions of Windows (prior to Windows 11 23 H2) on which it was previously supported. That support will end upon the normal End of Support for those OSes.
Windows LAPS inherits many design concepts from legacy Microsoft LAPS. If you're familiar with legacy Microsoft LAPS, many Windows LAPS features are familiar. A key difference is that Windows LAPS is an entirely separate implementation that's native to Windows. Windows LAPS also adds many features that aren't available in legacy Microsoft LAPS. You can use Windows LAPS to back up passwords to Azure Active Directory, encrypt passwords in Windows Server Active Directory, and store your password history.
Important
Windows LAPS doesn't require you to install legacy Microsoft LAPS. You can fully deploy and use all Windows LAPS features without installing or referring to legacy Microsoft LAPS. But to help migrate an existing legacy Microsoft LAPS deployment, Windows LAPS offers legacy Microsoft LAPS emulation mode.
Important
The legacy Microsoft LAPS product is deprecated on newer Microsoft OS versions - see Deprecation of legacy Microsoft LAPS product.
Microsoft released the legacy Microsoft LAPS product in calendar year 2016 on the Microsoft Download Center. Windows LAPS shipped as part of Windows Updates released on April 11, 2023 for the platforms listed in Windows LAPS and Microsoft Entra ID.
Microsoft and its support delivery organization offer assisted support for both Microsoft LAPS and Windows LAPS including interoperability between the two products.
Important
The legacy Microsoft LAPS product is deprecated on newer Microsoft OS versions - see Deprecation of legacy Microsoft LAPS product.
Microsoft strongly recommends that customers begin planning now to migrate their Windows LAPS-capable systems from using legacy Microsoft LAPS over to the new Windows LAPS feature. Windows LAPS offers many new security features and improved product servicing.
Questions about limitations and\or interoperability concerns between 3rd-party local account password management tools and Windows LAPS should be directed to the 3rd-party application developer not Microsoft.
The Windows LAPS feature itself is available for free in all supported Windows platforms.
You can back up passwords to your on-premises Active Directory with no other licensing requirements.
You can back up passwords to Microsoft Entra ID with a Microsoft Entra ID Free or higher license.
Other Azure- or Intune-related features can have other licensing requirements.
Want to send us feedback? Feel free to submit doc-specific questions via the Feedback links at the bottom of these doc pages.
You can also submit feedback and other requests via the Windows LAPS feedback Tech Community page.
If your feedback is specific to the Microsoft Entra ID- or Intune-related LAPS functionality, you can submit feedback via the Microsoft Entra feedback forum.
If you aren't sure where your feedback should go, submit it using any of the above options.
Events
29 Apr, 2 pm - 30 Apr, 7 pm
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowTraining
Learning path
MD-102 Explore endpoint management - Training
This learning path explains the concepts of supporting the desktop through its entire lifecycle. Students will also be introduced to Microsoft Entra ID and learn the similarities and differences between Microsoft Entra ID and Active Directory DS and how to synchronize between the two.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.