Security and Compliance

Windows LAPS Overview

Topics: Security and Compliance

Microsoft dropped some interesting new password tech on us earlier this year, and if you haven’t started looking at using this “new” technology, it’s time. In true Microsoft fashion, the “new” technology, Windows LAPS, is really just an improvement in an “old” technology, LAPS

What is Microsoft LAPS? The Backstory

Microsoft LAPS, if you haven’t heard of it before or didn’t know what it meant, stands for the Microsoft Local Administrator Password Solution. It is a free technology that Microsoft has given away since 2015. LAPS provides the ability to randomize the password for the local Administrator account on Windows workstations and servers. Prior to this solution, many organizations were using one Administrator account with one password throughout their whole environment. This is obviously a problem, because once the account is compromised on one device it’s compromised everywhere. 

In the Legacy version of LAPS, group policy controls the process and determines how often the password changes, how complex the password is, and then writes the password to Active Directory so that it can be read back when needed. 

New and Improved: Windows LAPS

Windows LAPS (yes, the name changed from Microsoft LAPS to Windows LAPS) is the new password tech on the block. This new LAPS was described as LAPS “Beast Mode” at a presentation during MMSMOA in May of 2023. It earned this Beast mode moniker because it can expand beyond the original LAPS and includes the ability to keep a history of passwords, store passwords in an encrypted state, and add passwords to Azure Active Directory. 

In addition, you no longer need additional software to retrieve passwords. You can instead see them directly in the computer information in Active Directory. 

Windows LAPS overview

Feature Comparison 

This new version of LAPS contains new features. Here’s a breakdown of current Legacy LAPS features and new Windows LAPS features. 

Legacy Microsoft LAPSModern Windows LAPS
Ability to rotate Administrator PasswordYesYes
Ability to define username to rotateYesYes
Where is policy defined?On-prem Group PolicyOn-prem Group Policy, Azure Active Directory
Is additional software required?LAPS Client is required to change passwordsWindows LAPS is built into Windows after April 2023 updates
How are passwords stored?Plain TextPlain Text, Encrypted
Is password history retained?NoYes, when passwords are encrypted and stored in Active Directory
How passwords are retrievedLAPS retrieval tool, PowerShell, AD attributePowerShell, Active Directory Users and Computers

Supported Windows Versions for Windows LAPS 

Windows LAPS supports the Professional, EDU, and Enterprise versions of Windows 10 and 11, Windows Server and Server Core 2022, and Windows Server 2019. Your domain functional level must be at least Windows Server 2016 for password encryption. 

Everything you need to configure Windows LAPS is in place following the April 2023 Windows updates including the Group Policy files, the client (now built into Windows), and the settings in Azure Active Directory.

Learn how to set up Windows LAPS with Microsoft Intune here.

By IT, for IT.

We are a dedicated group of Systems Administrators and tech-savvy product experts that love what we do and the IT community we do it with.

Windows LAPS: Quick and Easy Security 

LAPS has been the best way to protect local admin passwords for a long time, and the update provided by Windows LAPS improves it significantly. If you are not currently using LAPS, it’s time to take a serious look. 

Additional LAPS Resources

Windows LAPS

Microsoft LAPS

Back to Top