Local administrator accounts are a key part of managing Windows systems. They allow users to make important changes, like installing software or adjusting settings. But with great power comes great responsibility – and risks❌. If a local administrator account falls into the wrong hands, it can lead to serious security breaches, putting your whole organization in danger⚠.
Hackers can exploit these accounts to move across different systems, steal sensitive data, or launch attacks. So, protecting these built-in administrator accounts with strong, regularly updated passwords is essential to defend against pass-the-hash & lateral traversal attacks. However, managing all these passwords manually can be a headache. That’s where Windows Local Administrator Password Solution (LAPS) comes in. LAPS automatically rotates local administrator passwords regularly and securely backs them up.
Before diving into the details of LAPS, it’s important to understand the difference between local administrator accounts and standard user accounts on Windows systems.
Difference Between a Local Administrator and a Standard User
The default local administrator account is created during the Windows installation process and holds the highest level of access to the system. This account can install or remove software, change system settings, and manage files across the entire computer. Its full control over the system makes it powerful but also risky if not properly secured.
On the other hand, standard user accounts have limited permissions. While they can run applications, browse the internet, and save files, they cannot install or remove software or make system-wide changes.
What is Windows LAPS?
Windows Local Administrator Password Solution (LAPS) is a built-in tool in Windows that helps keep your system safe by managing local admin passwords. With the cloud version of LAPS, you can manage and protect local admin passwords for both Microsoft Entra and hybrid join devices, making sure they stay secure across all your systems.
Why is this important? The importance of LAPS extends beyond just the prevention of unauthorized access. By automating password rotation and backup, LAPS reduces the risk of human error and ensures that these critical credentials remain protected and up-to-date, enhancing overall system security and compliance.
How does LAPS help?
- LAPS creates unique, strong passwords for each local admin account.
- It stores the passwords safely in Active Directory and Azure AD.
- Only authorized users can access or reset these passwords.
- It ensures secure remote support and reduces vulnerabilities.
- LAPS uses access controls and encryption to protect stored passwords.
Windows LAPS vs Legacy Microsoft LAPS
The current version of LAPS, known as Windows LAPS, is an evolution of the original Microsoft LAPS introduced in 2016, now referred to as legacy Microsoft LAPS. While Windows LAPS builds on the core concepts of its predecessor, it offers several enhancements and new features.
What Are the Supported Platforms for Windows LAPS?
Windows LAPS supports the following Windows OS platforms:
- Windows 11 22H2 – April 11, 2023 Update
- Windows 11 21H2 – April 11, 2023 Update
- Windows 10 – April 11, 2023 Update
- Windows Server 2022 – April 11, 2023 Update
- Windows Server 2019 – April 11, 2023 Update
License Requirement for Windows LAPS Feature
The Windows LAPS feature is available at no additional cost on all supported Windows platforms. You can back up passwords to your on-premises Active Directory without any extra licensing requirements. For backing up passwords to Microsoft Entra ID, a Microsoft Entra ID Free license or higher is needed.
Windows LAPS in Microsoft Entra ID
With the introduction of Microsoft Entra support for Windows LAPS, you can now manage local administrator passwords for both Microsoft Entra-joined and hybrid-joined devices using a unified approach. This integration extends the capabilities of the standalone, on-premises LAPS product, offering a consistent experience across different types of devices.
Microsoft Entra support for LAPS includes the following capabilities:
- Enable Windows LAPS with Microsoft Entra ID – Set up a tenant-wide and client-side policy to back up the local admin password in Microsoft Entra ID.
- Manage Local Administrator Passwords – Set policies to control the admin account name, how long the password lasts, its complexity, and manual reset options.
- Recover Local Admin Passwords – Retrieve local admin passwords using APIs or through the portal.
- List All Devices with Windows LAPS – Use APIs or the portal to see all Windows devices in Entra ID that have LAPS enabled.
- Control Access to Password Recovery – Set up role-based access control (RBAC) with custom roles and admin units for secure password recovery.
- Audit Password Changes and Recovery – Use audit logs via API or the portal to track when passwords are updated or recovered.
- Apply Conditional Access for Password Recovery – Use Conditional Access policies on directory roles responsible for password recovery authorization.
How to Enable Windows LAPS in Microsoft Entra ID?
By default, LAPS will be disabled for your organization. To enable Windows LAPS in Microsoft Entra ID,
- Log in to the Microsoft Entra admin center with at least Cloud Device Administrator privileges.
- Navigate to Identity > Devices > Overview > Device settings.
- Set the ‘Enable Microsoft Entra Local Administrator Password Solution (LAPS)‘ option to Yes, then click Save.
Creating a LAPS Policy:
Once Windows LAPS is enabled, the next step is to set up a client-side policy to back up the local administrator password to Microsoft Entra ID. Microsoft recommends using Microsoft Intune for managing Windows LAPS. If your devices are joined to Microsoft Entra but don’t use or support Intune, you can manually deploy Windows LAPS to Microsoft Entra ID. Alternatively, you can manage LAPS settings via Group Policy Objects (GPOs), which lets you apply LAPS policies to devices in an Active Directory environment.
Accessing LAPS Passwords:
Once the policy is applied, you can find the LAPS passwords by navigating to,
Microsoft Entra ID > Devices > Overview -> ‘Local administrator password recovery’.
Disadvantages of Windows LAPS
While Windows LAPS provides effective management of local administrator passwords, it does have limitations:
- Single Backup Destination: Devices joined only to Microsoft Entra ID can back up passwords solely to Microsoft Entra ID, while devices joined only to Windows Server Active Directory can back up passwords only to Windows Server Active Directory.
- Limited Device Support: Windows LAPS does not support Microsoft Entra workplace-joined clients or Microsoft Entra-registered devices.
While Windows LAPS is a valuable tool for managing local administrator passwords, it is specifically focused on this narrow aspect of privileged access. To achieve more robust security across your organization, a comprehensive Privileged Access Management (PAM) solution is necessary.
We hope that this blog has helped you get started with Windows LAPS. In addition to leveraging Windows LAPS, you may also benefit from Windows 11’s recall feature, which allows for additional recovery and management options for your devices. Thanks for reading. For further queries, feel free to reach us through the comment section.