• Insights

What’s New in Windows LAPS

Eric Commons

3 min read

All Insights
New and Improved LAPS

Microsoft recently announced the new and improved Windows LAPS. You may be familiar with the existing security product known as Microsoft Local Administrator Password Solution (LAPS). In order to manage the password of a specified local administrator account by regularly rotating the password and backing it up to Active Directory (AD), LAPS has proven itself to be an essential and robust building block for on-premises AD enterprise security.
We’re sharing an overview of the changes and functionality the Managed Desktop team at Kraft Kennedy consider noteworthy and valuable in keeping leading organizations on the most current iterations of business critical technologies.

Natively Integrated Into Windows

Windows LAPS is ready for use out-of-the-box. While you may still use the Microsoft Software Installer (MSI) version, you no longer need to install an external MSI package. Future fixes and feature updates will be delivered via the normal Windows patching processes. For existing machines, Windows LAPS is now available on the following OS platforms with the 2023-04 Cumulative Update for Windows update or later installed:

  • Windows 11 Pro, EDU, and Enterprise
  • Windows 10 Pro, EDU, and Enterprise
  • Windows Server 2022 and Windows Server Core 2022
  • Windows Server 2019
Windows LAPS vs. Legacy Microsoft LAPS

Windows LAPS inherits many design concepts from the older Microsoft LAPS product which has been rebranded as “Legacy LAPS”. Legacy LAPS. A key difference is that Windows LAPS is an entirely separate implementation that is native to Windows. Windows LAPS adds many features that aren’t available in Legacy LAPS. The latest iteration can back up passwords to Azure Active Directory, encrypt passwords in Windows Server Active Directory, and store your password history.

New Features

These features are available for use in on-premises Active Directory scenarios:

  • Password encryption: Adds another layer of security to password protection.
  • Password history: Gives you the ability to log back into restored backup images.
  • Directory Services Restore Mode (DSRM) password backups: Secures your domain controllers by rotating critical recovery passwords on a regular basis.
  • Emulation mode: Useful if you want to continue using Legacy LAPS policy settings and tools while preparing to migrate to Windows LAPS.
  • Automatic rotation: Automatically rotate the password after the account is used.

The following features are available for use in both Azure Active Directory and on-premises Active Directory scenarios:

  • Rich policy management: Policy management is now available via both Group Policy and Configuration Service Provider (CSP).
  • On-demand Windows LAPS account password rotation: You can now rotate Windows LAPS password on-demand using the Intune portal. This is useful in responding to a potential breach.
  • Dedicated event log: Enables improved diagnostics and data logging.
  • New PowerShell module: Adds improved management capabilities. For example, you can now rotate the password on demand using the new Reset-LapsPassword cmdlet.
  • Hybrid-joined devices: Now fully supported.
Windows LAPS Schema vs. Legacy Microsoft LAPS Schema

Like Windows LAPS, Legacy LAPS also requires you to use schema extensions for a Windows Server Active Directory deployment. To help you plan a migration from Legacy LAPS to Windows LAPS, the following table shows a logical mapping of schema extension elements:

Windows LAPS Schema Element Legacy Microsoft LAPS Schema Element
msLAPS-PasswordExpirationTime ms-Mcs-AdmPwdExpirationTime
msLAPS-Password ms-Mcs-AdmPwd
msLAPS-EncryptedPassword Doesn’t apply
msLAPS-EncryptedPasswordHistory Doesn’t apply
msLAPS-EncryptedDSRMPassword Doesn’t apply
msLAPS-EncryptedDRSMPasswordHistory Doesn’t apply
msLAPS-Encrypted-Password-Attributes Doesn’t apply


Supported Policy Settings by Join State

The following table shows which settings apply to devices based on their specified join state:

Setting Name Azure Active Directory-joined Hybrid-joined Windows Server Active Directory-joined
BackupDirectory Yes Yes Yes
PasswordAgeDays Yes Yes Yes
PasswordLength Yes Yes Yes
PasswordComplexity Yes Yes Yes
PasswordExpirationProtectionEnabled No Yes Yes
AdministratorAccountName Yes Yes Yes
ADPasswordEncryptionEnabled No Yes Yes
ADPasswordEncryptionPrincipal No Yes Yes
ADEncryptedPasswordHistorySize No Yes Yes
ADBackupDSRMPassword No No Yes
PostAuthenticationResetDelay Yes Yes Yes
PostAuthenticationActions Yes Yes Yes

For assistance from the Kraft Kennedy team, please contact us.