Microsoft Cloud LAPS Password management solution to securely randomize and back up the password of the local administrator account to Azure AD. Here you will get some insights into what Microsoft brings you in Cloud LAPS.
The Local Administrator Password Solution (LAPS) has been widely used by IT pros for nearly a decade to secure Windows devices, aid in device recovery, and support helpdesk scenarios, and now Microsoft modernizing and improving this technology. The LAPS Client installation using Microsoft Intune. You can refer to the step by step guide ->Install LAPS Using Intune Application Deployment Guide.
LAPS is currently available to limited Insiders in the Windows 11 Insider Preview Build 25145 and later. Azure scenarios are currently limited to private preview customers. Cloud LAPS is not a premium feature, expected to ship in Q1, 2023.
In the session for Managing local admin account passwords in AD and Azure AD part of the Microsoft Technical Takeoff: Windows + Intune, the Technical team provided deep dive into and next plan for making it native to Windows.
Microsoft LAPS for AzureAD will have the ability to store passwords of AzureAD joined devices on the AAD device object, Cloud-based management experience, passwords retrieved via Graph, Azure portal, or rotated through Intune settings configuration, and more.
- Microsoft Intune Service Release 2210 October Update New Features
- Intune Support for Endpoint Privilege Management
Cloud LAPS Password Management Solution
Let’s check the new version of Cloud LAPS. Microsoft is going to be natively moving it into the operating system, so there will no longer be a need to install a separate MSI package. Moving into the operating system has a lot of advantages it normalizes the patching capability from the Windows update channel.
Modernizing the policy management experience for LAPS, you will have the ability to manage and configure the various LAPS settings from the cloud Microsoft Intune portal.
Considering that a lot of customers have deployed install bases of the current existing product and Microsoft wants to make it very easy to run the new solution side by side until you can get migrated over.
Supported Platforms
Windows LAPS is supported on desktop Windows, Windows Server, and Windows Server Core. Windows LAPS is a native Windows feature on all supported SKUs. No extra steps are required to install the feature.
Support for the Windows LAPS Azure Active Directory scenario is currently limited to Windows 11 Insider Preview Build 25145 and later and the Azure Active Directory LAPS scenario is in private preview.
LAPS for Azure AD
Let’s go through what Microsoft is adding in the LAPS feature for Azure active directory (Azure AD) the device will now have the capability to store passwords in Azure these are going to be stored on the Azure device object.
Microsoft modernizes the cloud-based management experience, In Azure you will be retrieving them over Microsoft graph there will be an Associated RBAC policy that is associated with that coming up.
Later this year but there will be a first-class password retrieval scenario management experience via the Azure portal you’ll be able to manage all of the LAPS policy settings via the Microsoft Intune portal.
If you’re managing a device’s LAPS settings from the cloud, you will have the ability to do an on-demand password rotation for the Hybrid Joined devices as well from the Intune portal.
This scenario will work you can configure those hybrid devices to back up their passwords to Azure which will work just fine with the client-side features, it’s a security Improvement designed to limit password exposure after use.
- Azure AD LAPs Group Policy Settings For Windows 11 | Intune Policy For LAPs
- Enable Intune LAPS | Local Administrator Password Solution | Proactive Remediation Feature
LAPS CSP Policies for Azure AD
The Windows LAPS CSP and Windows LAPS Group Policy object both manage the same settings, but only a subset of these settings apply to Windows LAPS in Azure mode.
The following settings are applicable when backing passwords up to Azure Active Directory:
- BackupDirectory
- PasswordLength
- AdministratorAccountName
- PasswordAgeDays
- PasswordComplexity
- PostAuthenticationResetDelay
- PostAuthenticationActions
List – Cloud LAPS Windows CSP
Jose Luis Mesones Albitres shared an excellent list of Windows CSPs for Cloud LAPS in the following Table. You can refer to the latest updates in the spreadsheet that he provided in the comments section of this post.
| Name | Description | OMA-URI | Value Type |
|---|---|---|---|
| LAPS BackupDirectory | Allows the administrator to configure which directory the local administrator account password is backed up to. Data type is integer. 0 – Disabled (password won’t be backed up) 1 – Back up the password to Azure AD only 2 – Back up the password to Active Directory only | ./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory | Integer |
| LAPS PasswordAgeDays | Use this policy to configure the maximum password age of the managed local administrator account. If not specified, this setting will default to 30 days This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD. This setting has a maximum allowed value of 365 days. Data type is integer. | ./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays | Integer |
| LAPS PasswordComplexity | Use this setting to configure password complexity of the managed local administrator account. Data type is integer. 1- Large letters 2 – Large letters + small letters 3 – Large letters + small letters + numbers 4 – Large letters + small letters + numbers + special characters | ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity | Integer |
| LAPS PasswordLength | Use this setting to configure the length of the password of the managed local administrator account. If not specified, this setting will default to 14 characters. This setting has a minimum allowed value of 8 characters. This setting has a maximum allowed value of 64 characters. Data type is integer. | ./Device/Vendor/MSFT/LAPS/Policies/PasswordLength | Integer |
| LAPS AdministratorAccountName | Use this setting to configure the name of the managed local administrator account. If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed). If specified, the specified account’s password will be managed. Notes: If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created. Data type is string. | ./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName | String |
| LAPS PostAuthenticationResetDelay | Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below). If not specified, this setting will default to 24 hours. This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions). This setting has a maximum allowed value of 24 hours. Data type is integer. | ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay | Integer |
| LAPS PostAuthenticationActions | Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above). Data type is integer. 1 – Reset password The managed account password will be reset 3 – Reset password and log off The managed account password will be reset and any interactive logon sessions using the managed account will be terminated 5 – Reset password and reboot The managed account password will be reset and the managed device will be immediately rebooted. | ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions | Integer |
Author
About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.
What do you think about Win10 support?
What about W10 ?
I put together this OMA-URI list to make it easier to copy and paste when it becomes available to us peasants.
https://1drv.ms/x/s!AtBxBgo0HqI5gfUialOX-Yo_oq5laA
Win10!