This article provides answers to many commonly asked questions about Windows Local Administrator Password Solution (Windows LAPS).
Is it supported to run 3rd-party local account password manager products side-by-side with Windows LAPS?
Yes, this scenario is supported with the following condition. You must take care to configure Windows LAPS and the 3rd-party product to manage different local accounts. If you mistakenly configure both to manage the same account, Windows LAPS rejects attempts by the 3rd-party product to modify the account's password. See Account password tampering protection.
Windows LAPS prevents accidental or spurious changes to the managed account's password. This protection helps prevent a torn state situation where the password stored in the directory doesn't match the password stored locally on the device. See Account password tampering protection.
The Windows LAPS PowerShell module is part of Windows and not available outside of the operating system.
This scenario isn't supported.
See Submitting feedback.
Microsoft promotes a password-less strategy and direction. Why was a password-based feature like Windows LAPS added to Windows?
All Windows LAPS scenarios involve the management of a Windows local account's password for use with help desk tasks, device recovery, and other scenarios. Since Windows only supports password-based authentication for local accounts, password management is necessary.
Yes with some limitations. See Domain functional level and domain controller version requirements.
Can I deploy and use Windows LAPS even if my domain isn't yet at Windows Server 2016 Domain Functional Level?
Yes with some limitations. See Domain functional level and domain controller version requirements.
Do I need to deploy a Windows Server 2022 or 2019 DC in order to extend my forest's schema with the Windows LAPS schema extensions?
No - you can run the Update-LapsADSchema
cmdlet from any operating system updated with the Windows LAPS
feature. The only requirement is that the client credentials are authorized to modify the Active Directory
schema. See Update the Windows Server Active Directory schema.
How can I copy the Windows LAPS-enabled Active Directory User and Computers snap-in to an older operating system?
This scenario isn't supported.
I installed RSAT and I still don't see the new LAPS-enabled Active Directory User and Computers snap-in?
The new snap-in is only available in the Windows in-box versions of RSAT on supported Windows LAPS platforms. See Windows LAPS snap-in availability.
The new Windows LAPS policy isn't automatically installed as part of the GPO central store. See Group Policy Object Central Store.
Yes, assuming that AD domain controller database backups are being regularly taken and maintained. For more information, see Retrieving passwords during AD disaster recovery scenarios
Yes, this scenario is supported with the following conditions. A new Windows LAPS policy must be configured, and you must take care to configure Windows LAPS and the legacy LAPS to manage different local accounts.
How can I enable passphrases, which are only available in Windows 11 24H2, since older operating systems don't support the new passphrase-related PasswordComplexity settings (6-8)?
There are two options in this scenario. Either allow the older OSs to fall back to the default setting, or create two policies. See Windows LAPS default policy values.
Why is my Microsoft Entra joined device getting an error when attempting to post the password to Microsoft Entra ID?
The most common reason for this forgetting to enable the LAPS feature for your Microsoft Entra tenant. See Enabling Windows LAPS with Microsoft Entra ID.
Do I need to extend my forest's schema if I'm only planning to back up passwords to Microsoft Entra ID?
No.
No. You can deploy and use Windows LAPS in either Active Directory or Microsoft Entra mode without Intune. Intune does provide many benefits to the Windows LAPS scenario (for example, policy deployment at scale, monitoring, and password-reset action support).
No. There are no dependencies between these two features. See Windows LAPS and Microsoft Entra Connect in hybrid environments.
How do I configure a hybrid-joined device to back up the password to both Microsoft Entra ID and AD?
This scenario isn't supported. You can only back up the password to one directory at a time.
See Windows Local Administrator Password Solution in Microsoft Entra ID and Microsoft Intune support for Windows LAPS for information on which specific clouds are supported.
Microsoft Entra Domain Services doesn't currently support Windows LAPS.
Windows LAPS passwords are always protected in transit (https) when sent from the managed device to the cloud. Windows LAPS passwords that are stored in the cloud are always encrypted with AES256. The decryption keys are only available to those internal Microsoft Entra services that have a technical need to actually handle the clear-text passwords, for example during storage or query operations. This encryption layer is specific to Windows LAPS passwords, and is always enabled in addition to the default Microsoft Entra data protection mechanisms - see Microsoft Entra Data Security Considerations.
To learn more about Windows LAPS, here are some more resources.