What is Windows LAPS?
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.
Windows LAPS supported platforms and Azure AD LAPS preview status
Windows LAPS is now available on the following OS platforms with the specified update or later installed:
- Windows 11 22H2 - April 11 2023 Update
- Windows 11 21H2 - April 11 2023 Update
- Windows 10 - April 11 2023 Update
- Windows Server 2022 - April 11 2023 Update
- Windows Server 2019 - April 11 2023 Update
All supported editions of the above platforms have been updated with Windows LAPS, including LTSC editions. The introduction of the Windows LAPS feature doesn't modify in any way whatsoever the standard Microsoft product lifecycle policies.
The Windows LAPS on-premises Active Directory scenarios are fully supported as of the above updates.
Windows LAPS with Microsoft Entra (Azure AD) and Microsoft Intune support is now in public preview as of April 21st 2023.
For more information, see:
Introducing Windows Local Administrator Password Solution with Azure AD
Windows Local Administrator Password Solution in Azure AD (preview)
Legacy LAPS Interop issues with the April 11 2023 Update
The April 11, 2023 update has two potential regressions related to interoperability with legacy LAPS scenarios. Please read the following to understand the scenario parameters plus possible workarounds.
Issue #1: If you install the legacy LAPS CSE on a device patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will enter a broken state where neither feature will update the password for the managed account. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. The password that is stored in Active Directory will not match the password stored on the local account, resulting in authentication errors. Microsoft is working on a fix for this issue.
Two primary workarounds exist for the above issue:
a. Uninstall the legacy LAPS CSE (result: Windows LAPS will take over management of the managed account)
b. Disable legacy LAPS emulation mode (result: legacy LAPS will take over management of the managed account)
UPDATE: the May 9th, 2023 update contains a fix for issue #1 on all supported Windows LAPS platforms. The fix prevents the issue from reoccurring in future, but does not immediately solve the problem of the local password not matching the AD-stored password. The passwords will be made consistent the next time the legacy LAPS CSE runs during a GPO refresh and sees an expired password expiry time in AD. You can accelerate that process by manually forcing a pwd expiry via Reset-AdmPwdPassword.
Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce\honor the legacy LAPS policy, which may be disruptive (for example if done during OS deployment workflow). Disable legacy LAPS emulation mode may also be used to prevent those issues.
Benefits of using Windows LAPS
Use Windows LAPS to regularly rotate and manage local administrator account passwords and get these benefits:
- Protection against pass-the-hash and lateral-traversal attacks
- Improved security for remote help desk scenarios
- Ability to sign in to and recover devices that are otherwise inaccessible
- A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory
- Support for the Azure role-based access control model for securing passwords that are stored in Azure Active Directory
Watch this video to learn about Windows LAPS.
Key Windows LAPS scenarios
You can use Windows LAPS for several primary scenarios:
Back up local administrator account passwords to Azure Active Directory (for Azure Active Directory-joined devices)
Back up local administrator account passwords to Windows Server Active Directory (for Windows Server Active Directory-joined clients and servers)
Back up DSRM account passwords to Windows Server Active Directory (for Windows Server Active Directory domain controllers)
Back up local administrator account passwords to Windows Server Active Directory by using legacy Microsoft LAPS
In each scenario, you can apply different policy settings.
Understand device join state restrictions
Whether a device is joined to Azure Active Directory or Windows Server Active Directory determines how you can use Windows LAPS.
Devices that are joined only to Azure Active Directory can back up passwords only to Azure Active Directory.
Devices that are joined only to Windows Server Active Directory can back up passwords only to Windows Server Active Directory.
Devices that are hybrid-joined (joined to both Azure Active Directory and Windows Server Active Directory) can back up their passwords either to Azure Active Directory or to Windows Server Active Directory. You can't back up passwords to both Azure Active Directory and Windows Server Active Directory.
Windows LAPS doesn't support Azure Active Directory workplace-joined clients.
Set Windows LAPS policy
To set up and manage policy for your Windows LAPS deployment, you have multiple options:
Manage and monitor Windows LAPS
You also have various options to manage and monitor Windows LAPS.
Options for Windows include:
- The Windows Server Active Directory Users and Computers properties dialog
- A dedicated event log channel
- A Windows PowerShell module that's specific to Windows LAPS
Azure-based monitoring and reporting solutions are available when you back up passwords to Azure Active Directory.
Windows LAPS vs. legacy Microsoft LAPS
You can still download an earlier version of Local Administrator Password Solution, legacy Microsoft LAPS.
Windows LAPS inherits many design concepts from legacy Microsoft LAPS. If you're familiar with legacy Microsoft LAPS, many Windows LAPS features are familiar. A key difference is that Windows LAPS is an entirely separate implementation that's native to Windows. Windows LAPS also adds many features that aren't available in legacy Microsoft LAPS. You can use Windows LAPS to back up passwords to Azure Active Directory, encrypt passwords in Windows Server Active Directory, and store your password history.
Windows LAPS doesn't require you to install legacy Microsoft LAPS. You can fully deploy and use all Windows LAPS features without installing or referring to legacy Microsoft LAPS. But to help migrate an existing legacy Microsoft LAPS deployment, Windows LAPS offers legacy Microsoft LAPS emulation mode.
Microsoft released the legacy Microsoft LAPS product in calendar year 2016 on the Microsoft Download Center. Windows LAPS shipped as part of Windows Updates released on April 11, 2023 for the platforms listed in Windows LAPS supported platforms and Azure AD LAPS preview status.
Microsoft and its support delivery organization offer assisted support for both Microsoft LAPS and Windows LAPS including interoperability between the two products.
Microsoft strongly recommends that customers begin planning now to migrate their Windows LAPS-capable systems from using legacy Microsoft LAPS over to the new Windows LAPS feature. Windows LAPS offers many new security features and improved product servicing.
Questions about limitations and\or interoperability concerns between 3rd-party local account password management tools and Windows LAPS should be directed to the 3rd-party application developer not Microsoft.
The Windows LAPS feature itself is available for free in all supported Windows platforms.
You can back up passwords to your on-premises Active Directory with no other licensing requirements.
You can back up passwords to Azure AD with an Azure AD Free or higher license.
Other Azure- or Intune-related features may have other licensing requirements.
Want to send us feedback? Feel free to submit doc-specific questions via the Feedback links at the bottom of these doc pages.
You may also submit feedback and other requests via the Windows LAPS feedback Tech Community page.
If your feedback is specific to the Azure AD- or Intune-related LAPS functionality, you may submit feedback via the Azure AD feedback forum.
If you aren't sure where your feedback should go, submit it using any of the above options.
- Introducing Windows Local Administrator Password Solution with Azure AD
- Windows Local Administrator Password Solution in Azure AD (preview)
- Microsoft Intune support for Windows LAPS
- Windows LAPS CSP
- Legacy Microsoft LAPS
- Windows LAPS Troubleshooting Guidance
Submit and view feedback for