What are the use cases or when we can use this Windows LAP?

Vinod Survase 4,711 Reputation points
2023-04-23T08:31:40.52+00:00

What are the use cases or when we can use this Windows LAP? When should we enable this in the environment specially in Azure AD joined devices? Recent announcement of Windows LAPS for Azure AD & Hybrid Azure AD joined devices: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,808 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,284 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,418 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,846 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 28,576 Reputation points Microsoft Employee
    2023-04-27T00:09:11.1833333+00:00

    @Vinod Survase Thank you for reaching out to us, As I understand you are looking for use cases when to use Windows LAP for Azure AD joined devices.

    with New LAPS (Windows LAPS)

    • Built into Windows
    • Support for Azure AD Join, Hybrid Azure AD Join and on-premise (Domain join) scenario, for Cloud and hybrid, passwords stored (encrypted) on device object in Azure AD.

    Windows LAPS to regularly rotate and managed local administration account passwords and get these benefits:

    Protection against pass the hash and lateral traversal attacks.

    Improved security for remote help desk scenarios

    Ability to sign in to and recover devices that are otherwise inaccessible..

    A fine grained security model (access control lists and optional password encryption for securing passwords that are stored in windows server active directory)

    Support for the Azure role-based access control model for securing passwords that are stored in Azure Active Directory.

    Azure AD support for LAPS includes the following capabilities - https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-manage-local-admin-passwords#:~:text=Azure%20AD%20support%20for%20LAPS%20includes%20the%20following%20capabilities%3A

    Key Windows LAPS scenarios

    You can use Windows LAPS for several primary scenarios:

    Back up local administrator account passwords to Azure Active Directory (for Azure Active Directory-joined devices)

    Back up local administrator account passwords to Windows Server Active Directory (for Windows Server Active Directory-joined clients and servers)

    Back up DSRM account passwords to Windows Server Active Directory (for Windows Server Active Directory domain controllers)

    Back up local administrator account passwords to Windows Server Active Directory by using legacy Microsoft LAPS

    In each scenario, you can apply different policy settings.

    Understand device join state restrictions

    Whether a device is joined to Azure Active Directory or Windows Server Active Directory determines how you can use Windows LAPS.

    Devices that are joined only to Azure Active Directory can back up passwords only to Azure Active Directory.

    Devices that are joined only to Windows Server Active Directory can back up passwords only to Windows Server Active Directory.

    Devices that are hybrid-joined (joined to both Azure Active Directory and Windows Server Active Directory) can back up their passwords either to Azure Active Directory or to Windows Server Active Directory. You can't back up passwords to both Azure Active Directory and Windows Server Active Directory.

    Windows LAPS doesn't support Azure Active Directory workplace-joined clients.

    Reference: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#:~:text=about%20Windows%20LAPS.-,Key%20Windows%20LAPS%20scenarios,-You%20can%20use

    Let me if you have any further questions, feel free to post back.

    1 person found this answer helpful.
    0 comments No comments