An updated feature in Windows is aiming to address the security concerns associated with local administrator passwords. Windows devices often have a local administrator account, which is necessary in case there is a problem connecting to Active Directory and the admin needs an alternative way to log into the device. To enhance security around these credentials, Microsoft offers a feature called Windows Local Administrator Password Solution (Windows LAPS). This functionality automates the password management of the local administrator account, regularly rotating the passwords to maintain a more secure environment.
In April 2023, Microsoft updated the Windows LAPS feature to make it a native part of the Windows operating system. The passwords for local administrator accounts are now stored in both the Active Directory and Microsoft’s cloud-based identity and access management platform, Microsoft Entra ID (formerly known as Azure Active Directory). Previously, LAPS only worked with Active Directory. This new version of Windows LAPS not only protects these administrator account passwords, but it also safeguards enterprises from various security risks, such as pass the hash attacks. Additionally, the updated version includes a fine-grained security model and supports Azure’s Role-Based Access Control. It also introduces password encryption and password history.
The Windows LAPS feature also extends to the Directory Services Restore Mode account on the domain controller, allowing for automated management and storage of passwords for this account.
However, there are some limitations with Windows LAPS. The original version, known as Microsoft LAPS, cannot manage the same account on the same machine alongside Windows LAPS. Most organizations choose to replace the legacy version with Windows LAPS. For those who are not yet comfortable with the new version, Microsoft offers a Microsoft LAPS emulation mode to make Windows LAPS function similarly to the legacy version. Alternatively, both legacy Microsoft LAPS and Windows LAPS can be used side by side, requiring the creation of a new local administrator account on managed devices with a different name to be used with Windows LAPS policies.
To deploy Windows LAPS, there are two options available. The first option is to use Intune to create a LAPS policy, which is then pushed out to managed Windows devices. The second option is to use group policy to push LAPS settings to domain-joined Windows devices.
To create a LAPS policy through Intune, administrators can open the Microsoft Intune admin center and select the Endpoint security tab. From there, they can click on Account protection and then the Create Policy link. The platform should be set to Windows 10 and later, and the profile should be set to Local Admin Password Solution (Windows LAPS). The administrator can then specify the backup directory, password length and complexity requirements, and other relevant settings before assigning the policy and creating it.
For group policy deployment, administrators will need to prepare the Active Directory by extending the schema to support Windows LAPS and granting the necessary permissions. This involves running a PowerShell command to update the Active Directory schema and assigning permissions to the domain-joined computers. Once the Active Directory is prepared, group policy settings for Windows LAPS can be configured using the Group Policy Management Editor.
Overall, the updated Windows LAPS feature aims to enhance the security of local administrator passwords in Windows devices. It provides automated password management, password rotation, and protection against various security risks. While there are some limitations and prerequisites to consider, organizations can choose between using Intune or group policy for deploying Windows LAPS. As passwords for local administrator accounts continue to be essential, implementing Windows LAPS can help organizations improve their security practices.