Microsoft Releases Windows Local Administrator Password Solution
Microsoft on Tuesday announced the roll out of a new "Windows Local Administrator Password Solution" (LAPS).
Update 4/14: Microsoft advised against installing the older "legacy LAPS" after its April 11 "update Tuesday" patches have been applied. That scenario will "break" the legacy LAPS and Windows LAPS. The warning is tucked into this "Overview" document.
Windows LAPS promises to thwart "pass-the-hash and lateral-transversal attacks" and enhance security when IT pros provide remote help-desk actions, according to this "Overview" document. Additionally, IT pros can use Windows LAPS to recover devices that otherwise would be inaccessible. It has access control list and password encryption options, which are supported via Azure Active Directory.
Windows LAPS is a revamp of a familiar tool that's been used by IT pros to secure local administrator passwords when managing client devices. This new tool is integrated with Windows systems and has improved capabilities leveraging Azure Active Directory over the current LAPS tool, which Microsoft now refers to as "legacy LAPS."
Windows LAPS arrived with other updates on April 11, 2023, which is "patch Tuesday," the designated second Tuesday of each month when Microsoft releases its software fixes. Microsoft has since changed what it releases for Windows 11 clients on update Tuesdays to sometimes include new features, in addition to the usual security and quality updates.
IT pros don't have to install Windows LAPS via an MSI file download from the Microsoft Download Center. It is "ready to go out-of-the-box," Microsoft indicated, and any future product updates will arrive via the "normal Windows patching process."
Azure Active Directory Support Lagging
There's one big catch on using Windows LAPS right now. The ability of Windows LAPS to use Azure Active Directory capabilities is still at the private preview stage. It will shift to the public preview sometime "later this quarter."
The Azure AD support for Windows LAPS, when available outside the current private preview, will add capabilities such as storing passwords via the Microsoft Graph and enabling Azure Role-Based Access Control policies. The Azure AD support also will let IT pros retrieve and rotate Windows LAPS passwords via the Azure Management Portal. Windows LAPS also will be manageable via Microsoft Intune. Best of all, perhaps, the Azure AD integration will permit Windows LAPs to automatically rotate a password "after the account is used."
On-Premises Active Directory Perks
Windows LAPS also add new capabilities for on-premises Active Directory environments. It has better security via password encryption. It has a "password history" feature that helps with restoring time-stamped backup images. It will rotate recovery passwords for domain controllers with its "Directory Services Restore Mode." It, too, has an automatic password rotation feature after an account gets used. Microsoft also added a new PowerShell module to support Windows LAPs, including a commandlet that lets IT pros "rotate the password on demand."
Microsoft also touted Windows LAPS' "emulation mode," which lets IT pros use "the older LAPS policy settings and tools while preparing to migrate to the new features." While that sounds easy, there are lots of requirements and limitations listed in this document that might sound a bit daunting. For instance, Window LAPS policies will always take precedence when "present on the machine." If emulation mode is successful, though, it'll store passwords in "clear text," instead of encrypting them.
Windows LAPS is supported with Azure AD-joined devices, "hybrid"-joined devices (Azure AD plus local AD), plus Windows Server AD-joined devices. However, those methods determine where Windows LAPS passwords get backed up and stored. Microsoft explained those nuances in its "Overview" document.
Many more important details about Windows LAPS are described by Jay Simmons, a software engineer on Microsoft's Active Directory team, in this video. He noted that Microsoft is actually delivering new AD features with this tool.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.