Windows LAPS: Transition from Legacy to Modern Password Management

Microsoft 365

The legacy Microsoft LAPS product is deprecated as of Windows 11 23 H2 and later.

The installation of the legacy Microsoft LAPS MSI package is blocked on newer versions of the operating system. Microsoft will no longer consider code changes for the legacy Microsoft LAPS product.

Microsoft recommends using Windows LAPS to manage local administrator account passwords. It is available on Windows Server 2019 and later. It’s also available on supported Windows 10 and Windows 11 clients.

Windows LAPS

Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature. It automatically manages and backs up the password of a local administrator account. This applies to Microsoft Entra joined or Active Directory-joined Windows Server devices.

You can use Windows LAPS to automatically manage the account password. It can also back it up in Directory Services Recovery Mode on Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it.

Windows LAPS is available on the next operating system platforms with the specified update or later versions installed:

  • Windows 11 22H2 – April 11, 2023 Update
  • Windows 11 21H2 – April 11, 2023 Update
  • Windows 10 – April 11, 2023 Update
  • Windows Server 2022 – April 11, 2023 Update
  • Windows Server 2019 – April 11, 2023 Update

Windows Laps Architecture

The Windows LAPS architecture diagram includes several key components:

  • IT Administrator: Collectively stands for the various IT administrator roles that might be involved in a Windows LAPS deployment. IT administrator roles are involved in configuring policies, expiring or retrieving stored passwords, and interacting with managed devices.
  • Managed device: Shows a device that is joined to Microsoft Entra. It can also be joined to Windows Server Active Directory. This is where you want to manage a local administrator account. The managed device can be a Windows Server Active Directory domain controller. It can also be configured to back up account passwords in Directory Services Recovery mode.
  • Windows Server Active Directory: Deploy your on-premises Windows Server Active Directory.
  • Microsoft Entra ID: A Microsoft Entra deployment running in the cloud.
  • Microsoft Intune:The preferred solution for managing Microsoft device policies, also running in the cloud.
  • The feature consists of a few key binaries on managed device:
  • laps.dll for basic logic
  • lapscsp.dll for configuration service provider (CSP) logic
  • lapspsh.dll for PowerShell cmdlet logic.

You can set up Windows LAPS by using Group Policy because it responds to GPO change notifications.

Microsoft LAPS legacy emulation

You can set up Windows LAPS to respect the legacy Microsoft LAPS Group Policy settings, but with some restrictions and limitations. The feature is called Microsoft LAPS legacy emulation mode.

You can use emulation mode if you are migrating an existing legacy Microsoft LAPS deployment to Windows LAPS.

When you set up Windows LAPS in legacy Microsoft LAPS emulation mode, Windows LAPS makes an assumption. It assumes that your Windows Server Active Directory environment is configured to run legacy Microsoft LAPS.

Windows LAPS is always available and active. This occurs after a device has been added to Microsoft Entra ID or Windows Server Active Directory. 

Legacy Microsoft LAPS installation is often used as a mechanism to control when the legacy Microsoft LAPS policy is applied.

The legacy Microsoft LAPS product is deprecated as of Windows 11 23 H2 and later. The installation of the legacy Microsoft LAPS MSI package is blocked on newer versions of the operating system.

Like Microsoft LAPS, emulation mode supports storing passwords in Windows Server Active Directory only in clear text. To increase security, migrate to using Windows LAPS natively. This lets you take advantage of password encryption.

Coexistence scenario with legacy LAPS

You can use both Windows LAPS and legacy LAPS in a side-by-side scenario. For the side-by-side scenario to succeed, both policies must target different on-premises accounts.

The long-term goal, nevertheless, should be to migrate from legacy LAPS to Windows LAPS.

Migration scenarios on existing devices

Immediate transition approach

  • Turn off\remove legacy LAPS policy
  • Create and apply a Windows LAPS policy
  • Watch the managed device to confirm the successful transition
  • Remove legacy LAPS software

Transient side-by-side coexistence approach

  • Set up the managed device with a second local account
  • Create and apply a Windows LAPS policy
  • Watch the managed device to verify that the Windows LAPS policy was applied correctly
  • Turn off\remove the legacy LAPS policy
  • Remove the legacy LAPS software
  • Remove the extra account

Published

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.