Microsoft Releases Windows LAPS Public Preview Using Azure Active Directory Capabilities

Microsoft on Friday announced a public preview of Windows Local Administrator Password Solution (LAPS) for Microsoft Entra Azure Active Directory.

The preview of Windows LAPS for Azure AD represents a quick advance from the release of Windows LAPS, a new capability for IT pros introduced earlier this month. Windows LAPS is now part of Windows, instead of just being a standalone tool. Windows LAPS arrived with other Microsoft updates on "update Tuesday" this month, which occurred on April 11.

One benefit of Windows LAPS is that it gets serviced monthly like other Windows components. Also, IT pros don't need to download and install an MSI file to get Windows LAPS, as was the case with the older standalone tool. Only IT pros with certain privileged roles, such as Global Administrator," have the ability to use Windows LAPS to recover passwords and view Windows LAPS metadata, though.

Windows LAPS features a password rotation scheme for IT pros that could help thwart "pass-the-hash" and "lateral-transversal" methods used by an attacker. It has capabilities for organizations managing Windows Server AD-joined devices, Azure AD-joined devices and "hybrid"-joined devices (use of Azure AD plus local AD). However, Microsoft had indicated earlier this month that some of Windows LAPS' Azure AD capabilities were still lagging and were just available for testing at the "private preview" stage.

With Microsoft's Friday announcement, a public preview of Windows LAPS with its Azure AD capabilities is now available for testing. Here's how the Friday announcement put it:

Today we're making Windows LAPS available to you for both Azure AD joined and hybrid Azure AD joined devices. Additionally, Windows LAPS is now built-in into Windows with Windows 10 20H2 and later, Windows 11 21H2 and later, and Windows Server 2019 and later using the most recent security update (released on April 11, 2023). With these updates, you will also no longer need to install an external MSI package and future fixes or feature updates will be delivered via the normal Windows patching processes.

Microsoft's "What Is Windows LAPS" document, dated April 14, still stated that "the Azure Active Directory LAPS scenario remains in private preview and is closed to new customers," but possibly that document had not been updated at press time.

'Legacy LAPS' Install Caveat
A warning against installing the "legacy LAPS" product after installing Microsoft's April 11 updates, which will break both LAPS apps, apparently is still in effect. The legacy LAPS product doesn't need to be installed to use Windows LAPS.

Commenting in his April 11 post, Jay Simmons, a software engineer on Microsoft's Active Directory team, suggested that the problem arises when the two LAPS programs are both configured for the same account:

The new Windows LAPS is designed to exist with or without the legacy LAPS client being installed. Just don't try to configure the two to manage the same account! If you don't want to migrate to the new Windows LAPS features just yet, you can still start the transition by utilizing legacy LAPS emulation mode.

The April 11 post is a good general source of information for IT pros about Windows LAPS, as Simmons answered multiple questions in the comments section.

Only for Windows Devices
Microsoft clarified that Windows LAPS isn't supported for use with "non-Windows platforms" or "devices that are Azure AD registered," in this document. Microsoft's definition for "Azure AD registered" is a device that uses "a local account like a Microsoft account" for sign-ins, according to this "Azure AD Registered Devices" publication.

"LAPS is supported on Azure AD joined or hybrid Azure AD joined devices only," Microsoft's document stated. It's possible to use Windows LAPs with a free Azure AD license, though.

Initial Windows LAPS setup happens via the Azure Portal. However, Microsoft's configuration and management preference for organizations is to use Microsoft Intune or another mobile device management solution with Windows LAPS. It's also possible to manage Windows LAPS manually, such as using Group Policy Objects (GPOs), but that option has support with "hybrid Azure AD-joined devices only," the Q&A portion of Microsoft's document clarified.

Simmons also clarified in his April 11 post that "the new Windows LAPS settings are not yet publicly available in Intune (coming soon) and will look very similar to the settings offered by the new Windows LAPS GPO."

The document included a big caveat regarding deleting devices in Azure AD when using Windows LAPS. In such cases "the LAPS credential that was tied to that device is lost and the password that is stored in Azure AD is lost," with no recovery mechanism.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube