Microsoft Cloud LAPS Password Management Solution

Microsoft Cloud LAPS Password management solution to securely randomize and backup the password of the local administrator account to Azure AD. Here you will get some insights into what Microsoft bringing to you in Cloud LAPS.

The Local Administrator Password Solution (LAPS) has been widely used by IT pros for nearly a decade to secure Windows devices, aid in device recovery, and support helpdesk scenarios, and now Microsoft modernizing and improving this technology. The LAPS Client installation using Microsoft Intune. You can refer to step by step guide ->Install LAPS Using Intune Application Deployment Guide.

LAPS is currently available to limited Insiders in the Windows 11 Insider Preview Build 25145 and later. Azure scenarios are currently limited to private preview customers. Cloud LAPS is not a premium feature, expected to ship in Q1, 2023.

In the session for Managing local admin account passwords in AD and Azure AD part of the Microsoft Technical Takeoff: Windows + Intune, the Technical team provided deep dive into and next plan for making it native to Windows.

Patch My PC

Microsoft LAPS for AzureAD will have the ability to store passwords of AzureAD joined devices on the AAD device object, Cloud-based management experience, passwords retrieved via Graph, Azure portal, or rotated through Intune settings configuration, and more.

Cloud LAPS Password Management Solution

Let’s check the new version of Cloud LAPS. Microsoft going to be natively moving it into the operating system, so there will no longer be a need to install a separate MSI package. Moving into the operating system has a lot of advantages it normalizes the patching capability from the Windows update channel.

Modernizing the policy management experience for LAPS, you will have the ability to manage and configure the various LAPS settings from the cloud Microsoft Intune portal.

Considering that a lot of customers have deployed install bases of the current existing product and Microsoft wants to make it very easy to run the new solution side by side until you can get migrated over.

Goals - Microsoft Cloud LAPS Password Management Solution Fig.1
Goals – Microsoft Cloud LAPS Password Management Solution Fig.1 Credit Jay Simmons

Supported Platforms

Windows LAPS is supported on desktop Windows, Windows Server, and Windows Server Core. Windows LAPS is a native Windows feature on all supported SKUs. No extra steps are required to install the feature.

Support for the Windows LAPS Azure Active Directory scenario currently is limited to a small number of Windows Insider users.

LAPS for Azure AD

Let’s go through what Microsoft adding in the LAPS feature for Azure active directory (Azure AD) the device will now have the capability to store passwords in Azure these are going to be stored on the Azure device object.

Microsoft modernizing the cloud-based management experience, In Azure you will be retrieving them over Microsoft graph there will be an Associated RBAC policy that is associated with that coming up.

Later this year but there will be a first class password retrieval scenario management experience via the Azure portal you’ll be able to manage all of the LAPS policy settings via the Microsoft Intune portal.

If you’re managing a device’s LAPS settings from the cloud you will have the ability to do an on-demand password rotation for the Hybrid Joined devices as well from the Intune portal.

This scenario will work you can configure those hybrid devices to back up their passwords to Azure which will work just fine with the client-side features, it’s a security Improvement designed to limit password exposure after use.

LAPS for Azure AD - Microsoft Cloud LAPS Password Management Solution Fig.2
LAPS for Azure AD – Microsoft Cloud LAPS Password Management Solution Fig.2 Credit Jay Simmons

LAPS CSP Policies for Azure AD

The Windows LAPS CSP and Windows LAPS Group Policy object both manage the same settings, but only a subset of these settings apply to Windows LAPS in Azure mode.

The following settings are applicable when backing passwords up to Azure Active Directory:

  • BackupDirectory
  • PasswordLength
  • AdministratorAccountName
  • PasswordAgeDays
  • PasswordComplexity
  • PostAuthenticationResetDelay
  • PostAuthenticationActions
LAPS CSP - Microsoft Cloud LAPS Password Management Solution Fig.3
LAPS CSP – Microsoft Cloud LAPS Password Management Solution Fig.3 Credit Jay Simmons

List – Cloud LAPS Windows CSP

Jose Luis Mesones Albitres shared an excellent list of Windows CSPs for Cloud LAPS in the following Table. You can refer to the latest updates in the spreadsheet that he provided in the comments section of this post.

NameDescriptionOMA-URIValue Type
LAPS BackupDirectoryAllows the administrator to configure which directory the local administrator account password is backed up to.
Data type is integer.
0 – Disabled (password won’t be backed up)
1 – Back up the password to Azure AD only
2 – Back up the password to Active Directory only
./Device/Vendor/MSFT/LAPS/Policies/BackupDirectoryInteger
LAPS PasswordAgeDaysUse this policy to configure the maximum password age of the managed local administrator account.
If not specified, this setting will default to 30 days

This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD.

This setting has a maximum allowed value of 365 days.
Data type is integer.
./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDaysInteger
LAPS PasswordComplexityUse this setting to configure password complexity of the managed local administrator account.
Data type is integer.
1- Large letters
2 – Large letters + small letters
3 – Large letters + small letters + numbers
4 – Large letters + small letters + numbers + special characters
./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexityInteger
LAPS PasswordLengthUse this setting to configure the length of the password of the managed local administrator account.
If not specified, this setting will default to 14 characters.

This setting has a minimum allowed value of 8 characters.

This setting has a maximum allowed value of 64 characters.

Data type is integer.
./Device/Vendor/MSFT/LAPS/Policies/PasswordLengthInteger
LAPS AdministratorAccountNameUse this setting to configure the name of the managed local administrator account.
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).

If specified, the specified account’s password will be managed.
Notes:
If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created.
Data type is string.
./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountNameString
LAPS PostAuthenticationResetDelayUse this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below).
If not specified, this setting will default to 24 hours.

This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).

This setting has a maximum allowed value of 24 hours.

Data type is integer.
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelayInteger
LAPS PostAuthenticationActionsUse this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above).
Data type is integer.
1 – Reset password The managed account password will be reset
3 – Reset password and log off The managed account password will be reset and any interactive logon sessions using the managed account will be terminated
5 – Reset password and reboot The managed account password will be reset and the managed device will be immediately rebooted.
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActionsInteger
Microsoft Cloud LAPS Password Management Solution – Table 1

Author

3 thoughts on “Microsoft Cloud LAPS Password Management Solution”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.