Configure policy settings for Windows LAPS

Windows Local Administrator Password Solution (Windows LAPS) supports various settings you can control by using policy. Learn about the settings and how to administer them.

Important

Windows LAPS currently is available only in Windows 11 Insider Preview Build 25145 and later. Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario.

Supported policy roots

Although we don't recommend it, you can administer a device by using multiple policy management mechanisms. To support this scenario in an understandable and predictable way, each Windows LAPS policy mechanism is assigned a distinct registry root key:

Policy name Policy registry key root
LAPS CSP HKLM\Software\Microsoft\Policies\LAPS
LAPS Group Policy HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS
LAPS Local Configuration HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config
Legacy Microsoft LAPS HKLM\Software\Policies\Microsoft Services\AdmPwd

Windows LAPS queries all known registry key policy roots, starting at the top and moving down. If no settings are found under a root, that root is skipped and the query proceeds to the next root. When a root that has at least one explicitly defined setting is found, that root is used as the active policy. If the chosen root is missing any settings, the settings are assigned their default values.

Policy settings are never shared or inherited across policy key roots.

Tip

The LAPS Local Configuration key is included in the preceding table for completeness. You can use this key if necessary, but the key primarily is intended to be used for testing and development. No management tools or policy mechanisms target this key.

Supported policy settings by join state

Windows LAPS supports multiple policy settings that you can administer via various policy management solutions, or even directly via the registry.

The following table specifies which settings apply to devices that have the specified join state:

Setting name Azure Active Directory-joined Hybrid-joined Windows Server Active Directory-joined
BackupDirectory Yes Yes Yes
PasswordAgeDays Yes Yes Yes
PasswordLength Yes Yes Yes
PasswordComplexity Yes Yes Yes
PasswordExpirationProtectionEnabled No Yes Yes
AdministratorAccountName Yes Yes Yes
ADPasswordEncryptionEnabled No Yes Yes
ADPasswordEncryptionPrincipal No Yes Yes
ADEncryptedPasswordHistorySize No Yes Yes
ADBackupDSRMPassword No No Yes
PostAuthenticationResetDelay Yes Yes Yes
PostAuthenticationActions Yes Yes Yes

You can administer almost all settings by using any policy management mechanism. The Windows LAPS configuration service provider (CSP) has two exceptions to this rule. The Windows LAPS CSP supports two settings that aren't in the preceding table: ResetPassword and ResetPasswordStatus. Also, Windows LAPS CSP doesn't support the ADBackupDSRMPassword setting (domain controllers are never managed via CSP). For more information, see the LAPS CSP documentation.

Windows LAPS Group Policy

Windows LAPS includes a new Group Policy Object that you can use to administer policy settings on Active Directory domain-joined devices. To access the Windows LAPS Group Policy, in Group Policy Management Editor, go to Computer Configuration > Administrative Templates > System > LAPS. The following figure shows an example:

Screenshot of the Group Policy Management Editor that shows the Windows LAPS policy settings.

Windows LAPS CSP

Windows LAPS includes a specific CSP that you can use to administer policy settings on Azure Active Directory-joined devices. Manage the Windows LAPS CSP by using Microsoft Endpoint Manager.

Apply policy settings

The following sections describe how to use and apply various policy settings for Windows LAPS.

BackupDirectory

Use this setting to control which directory the password for the managed account is backed up to.

Value Description of setting
0 Disabled (password won't be backed up)
1 Back up the password to Azure Active Directory only
2 Back up the password to Windows Server Active Directory only

If not specified, this setting defaults to 0 (Disabled).

PasswordAgeDays

This setting controls the length of the password. Supported values are:

  • Minimum: 1 day (When the backup directory is configured to be Azure Active Directory, the minimum is 7 days.)
  • Maximum: 365 days

If not specified, this setting defaults to 30 days.

PasswordLength

Use this setting to configure the length of the password of the managed local administrator account. Supported values are:

  • Minimum: 8 characters
  • Maximum: 64 characters

If not specified, this setting defaults to 14 characters.

PasswordComplexity

Use this setting to configure the required password complexity of the managed local administrator account.

Value Description of setting
1 Large letters
2 Large letters + small letters
3 Large letters + small letters + numbers
4 Large letters + small letters + numbers + special characters

If not specified, this setting defaults to 4.

Important

Windows supports the lower password complexity settings (1, 2, and 3) only for backward compatibility with legacy Microsoft LAPS. We recommend that you always configure this setting to 4.

PasswordExpirationProtectionEnabled

Use this setting to configure enforcement of maximum password age for the managed local administrator account.

Supported values are either 1 (True) or 0 (False).

If not specified, this setting defaults to 1 (True).

Tip

In legacy Microsoft LAPS mode, this setting defaults to False for backward compatibility.

AdministratorAccountName

Use this setting to configure the name of the managed local administrator account.

If not specified, this setting defaults to managing the built-in local administrator account.

Important

Don't specify this setting unless you want to manage an account other than the built-in local administrator account. The local administrator account is automatically identified by its well-known relative identifier (RID).

ADPasswordEncryptionEnabled

Use this setting to enable encryption of passwords in Active Directory.

Supported values are either 1 (True) or 0 (False).

Important

Enabling this setting requires that your Active Directory domain be running at Domain Functional Level 2016 or later.

ADPasswordEncryptionPrincipal

Use this setting to configure the name or security identifier (SID) of a user or group that can decrypt the password that's stored in Active Directory.

This setting is ignored if the password currently is stored in Azure.

If not specified, only members of the Domain Admins group in the device's domain can decrypt the password.

If specified, the specified user or group can decrypt the password that's stored in Active Directory.

Important

The string that's stored in this setting must be either an SID in string form or the fully qualified name of a user or group. Valid examples include:

  • S-1-5-21-2127521184-1604012920-1887927527-35197
  • contoso\LAPSAdmins
  • lapsadmins@contoso.com

The principal identified (either by SID or by user or group name) must exist and be resolvable by the device.

This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.

This setting is ignored when Directory Services Repair Mode (DSRM) account passwords are backed up on a domain controller. In that scenario, this setting always defaults to the Domain Admins group of the domain controller's domain.

ADEncryptedPasswordHistorySize

Use this setting to configure how many previous encrypted passwords are remembered in Active Directory. Supported values are:

  • Minimum : 0 passwords
  • Maximum: 12 passwords

If not specified, this setting defaults to 0 passwords (disabled).

Important

This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.

This setting also takes effect on domain controllers that back up their DSRM passwords.

ADBackupDSRMPassword

Use this setting to enable backup of the DSRM account password on Windows Server Active Directory domain controllers.

Supported values are either 1 (True) or 0 (False).

This setting defaults to 0 (False).

Important

This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.

PostAuthenticationResetDelay

Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see PostAuthenticationActions). Supported values are:

  • Minimum : 0 hours (setting this value to 0 disables all post-authentication actions)
  • Maximum: 24 hours

If not specified, this setting defaults to 24 hours.

PostAuthenticationActions

Use this setting to specify the actions to take upon expiration of the configured grace period (see PostAuthenticationResetDelay).

This setting can have one of the following values:

Value Name Actions taken when the grace period expires
1 Reset password The managed account password is reset.
3 Reset password and sign out The managed account password is reset and any interactive sign-in sessions that use the managed account are terminated.
5 Reset password and reboot The managed account password is reset and the managed device is immediately restarted.

If not specified, this setting defaults to 3.

Important

The allowed post-authentication actions are intended to help limit the amount of time a Windows LAPS password can be used before it's reset. Signing out of the managed account or restarting the device are options that help ensure the time is limited. Abruptly terminating signed-in sessions or restarting the device might result in data loss.

From a security perspective, a malicious user who acquires administrative privileges on a device using a valid Windows LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.

See also

Next steps