Let’s discuss about Enable Windows LAPS Managed Account in WinRE or Safemode. The new feature in Windows Local Administrator Password Solution (LAPS) allows you to enable the management of the Windows LAPS-managed account even in WinRE (Windows Recovery Environment) or Safe Mode.
When your computer needs to start in a recovery or troubleshooting mode, LAPS can still efficiently handle and secure the local administrator password. This improvement ensures that password management remains effective even when you may need to use WinRE or Safe Mode to address issues on your Windows system.
Windows Local Administrator Password Solution (LAPS) has introduced a noteworthy feature related to its integration with Safe Mode boot, also known as Windows Recovery Mode. For those new to Windows LAPS, LAPS for Windows 10 11 Privileged Access Management helps you understand more.
This new feature enhances how LAPS works when your Windows system needs to start in Safe Mode. Safe Mode is a troubleshooting option where Windows starts with basic functionality, often used to fix system issues.
- Setup New Windows LAPs using Intune Policies Local Admin Password Management Policy
- Windows LAPS Role-Based Access Controls using Intune
What is Microsoft Local Administrator Password Solution (LAPS)?
LAPS is essential to a broader strategy to mitigate and monitor credential theft. It centrally stores local administrator account passwords in Active Directory and simplifies password management without the need for extra servers.
Enable Windows LAPS Managed Account in WinRE or Safemode
Let’s discuss setting up LAPS to manage a specific admin account. To make things clear, First, we are removing an existing local admin account. This step is taken to ensure that we are starting fresh and configuring LAPS to handle the management of this admin account without any interference from the existing one.
- Right-click the LocalAdmin account and select the Delete option
The Local Users and Groups popup window shows that “Each user account has a unique identifier in addition to their user name. Deleting a user account deletes this identifier, and it cannot be restored, even if you create a new account with an identical user name. This can prevent users from accessing resources they currently have permission to access.
- Click the Yes button from the below popup window.
You can easily disable the LapsAdmin by right-clicking the LapsAdmin and clicking properties. From the LapsAdmin Properties, select the “Account is disabled” option.
Enable Name of Administrator Account to Manage
This policy setting specifies a custom Administrator account name to manage the password. LAPS will work the password for a local account with this name if this policy setting is enabled. If this policy setting is disabled or not configured, LAPS will manage the password for the well-known Administrator account.
Let’s going to configure the LAB’s policy. So, we are going to enable the account name first. DO NOT enable this policy setting to manage the built-in administrator account. The built-in administrator account is auto-detected by a well-known SID and does not depend on the account name.
- Select the Enabled option and provide an account name as LapsAdmin
- Click the OK button
Policy Name | Enable | Disable |
---|---|---|
Name of administrator account to manage | LAPS will manage the password for a local account with this name | LAPS will manage the password for the well-known Administrator account |
Enable Password Encryption
When you enable this setting, the managed password is encrypted before being sent to Active Directory. Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.
- The managed account password is encrypted if this setting is enabled and the domain functional level is at or above Windows Server 2016.
- If this setting is enabled, and the domain functional level is less than Windows Server 2016, the managed account password is not backed up to the directory.
- If this setting is disabled, the managed account password is not encrypted.
- This setting will default to enabled if not configured.
- Select the Enable option and click OK.
Use this setting to configure which directory the local admin account password is backed up. The allowable settings are:
- 0=Disabled (password will not be backed up)
- 1=Backup the password to Azure Active Directory
- 2=Backup the password to Active Directory
- If not specified, this setting will default to 0 (Disabled).
- If this setting is configured to 1, and the managed device is not joined to Azure Active Directory, the local administrator password will not be executed.
- If this setting is configured to 2, and the managed device is not joined to Active Directory, the local administrator password will not be executed.
At this point, LAPS Should have updated the password in the Active Directory. Open Windows PowerShell and type the command below.
- PS C: > Invoke-LapsPolicyProcessing
- PS C:> Get-LapsADPassword -Identity lapsDemoclient -AsPlainText
- And click Enter
- It will show the below Results
ComputerName : LAPSDEMOCLIENT
DistinguishedName : CN=LAPSDEMOCLIENT,OU=LapsDemoou, DC=laps, DC=com
Account : LapsAdmin
Password : HTsf.gu6R+70d$
PasswordupdateTime : 10/21/2023 12:37:11 PM
ExpirationTimestamp : 11/20/2023 11:37:11 AM
Source : EncryptedPassword
Decryptionstatus : Success
AuthorizedDecryptor : LAPS\Domain Admins
PS C:>
Firstly, it is essential to note that the registry settings can be configured using the security CSP for Intune Managed Devices. Now, focusing on the traditional safe mode behaviour, there used to be code that enabled all accounts to show the authentication screen when preparing. However, in the current scenario, even though all accounts are disabled, the only one that will be enabled is the LAPS-managed account, specifically the “laps admin.”
C: \>reg.exe add HKLM\Software\Policies\Microsoft\WinRE /v WinREAuthenticationRequirement /t REG_DWORD /d 0
The operation completed successfully.
C: \>reagentc /boottore
REAGENTC.EXE: Operation Suecessful.
C: \>shutdown /t 0 /f /_
After entering the command “C:>shutdown /t 0 /f /r,” the system initiated a restart. The second screenshot provides visual confirmation that the system is actively working and progressing after some time.
When you initially boot into recovery mode, you typically see a process leading to a normal boot. However, in this scenario, we want to troubleshoot or simulate a troubleshooting situation. We’re aiming to delve into specific steps or procedures as if there were issues that needed attention.
- Select the Troubleshooting Option for Reset your PC.
- Select the Advanced options from the 2nd screenshot.
Choose an Option |
---|
Continue |
Troubleshoot |
Turn off your PC |
Select the Command Prompt option for advanced troubleshooting in the Advanced Options window. Now, you’ll observe that we only have the option to use the LAPS-managed account. This means that, despite other accounts being disabled, the system guides us to use the specifically managed LAPS account for authentication.
Now, the Command Prompt is prompting us for the password. At this point, You need to enter the LAPS rotated password, which we previously copied and saved. Select the Continue button to proceed.
- Select the Clipboard menu and select “Type clipboard text”
Resources
(119) Windows LAPS: Automatically enable accounts during safe-mode boot – YouTube
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Author
About the Author – Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.
Hi Vidya,
Thank you for this post it was very detailed and helpful.
However, I am facing an issue where I have performed all the mentioned steps in my environment but there are still a few computers that are not prompting for the laps admin password in Recovery Mode, it basically is just letting me in directly.
Can you please advise on what could be the issue?
Note: all the computers are in the same OU and having the same policies.
Regards,
Adam Isa