This post features Windows LAPS with its most important specifications and what you need to know high-level. Both Active Directory and Azure AD scenarios are described.


Windows LAPS is now in public preview!

The Local Administrator Password Solution is a familiar Microsoft product which is responsible for managing and backing up the password of the local administrator account to (Azure) Active Directory.

The aim is to control local administrator rights and protect against pass-the-hash and lateral-traversal attacks. General administrator accounts where the credentials are shared on multiple devices are a security vulnerability.



  • Native integrated in Windows (see supported Windows platforms)
  • Store password in Active Directory or Azure AD
  • Password history
  • Post Authentication Actions on/after use of LAPS account
  • New PowerShell module


  • Integration to Intune (password retrieval & rotate remote action)
  • Configuration through Settings Catalog


  • New schema attributes
  • Domain Services Restore Mode (DSRM) password support for LAPS
  • Configuration with GPO
  • Support for encryption
Microsoft LAPS which was known until yet is now renamed to legacy LAPS.
Microsoft recommends to migrate legacy LAPS to Windows LAPS.



Backup directory

The backup directory can either be Active Directory or Azure AD, but only one per device.

Password retrieval


  • Uses with assigned built-in roles (Intune Admin, Cloud Device Admin or Global Admin) can read the password. See all roles with LAPS permissions
  • Limit access for admins to a set of devices with Administrative Units - view post

Create an AD group to:

  • Configure the GPO setting ADPasswordEncryptionPrincipal with an user, group or SID (preferred) that can decrypt the encrypted password (If password encryption is enabled)
  • Set AD extended rights to set permissions on OU level with “Set-LapsADReadPasswordPermission” to read the password
If you enable password encryption you need to configure both these options.

Built-in admin

The built-in administrator account of Windows has no lockout threshold and has a well-known SID. So attackers can easly brute-force this account.

From a security perspective, I would recommend to create a dedicated administrator account that is managed by Windows LAPS.

  • For Intune you can use Proactive Remediation. My colleague Nicola already created a script package: Detection script and Remediation script
  • For AD you can create a similar script or use GPO
The built-in administrator account of Windows is disabled by default.

Post authentication action

A recently added functionality requires an action to be performed after authentication with the LAPS managed account. This action will be triggered by both successful and failed authentication events. (Event ID 10041) Choose from:

  • Reset password
  • Reset the password and logoff
  • Reset the password and reboot

Implementation overview

Before you start with the implementation, I recommend you to go through the following steps:

  • Check prerequisites
  • Analyze current LAPS configurations (for AD)
  • Think about password retrieval and built-in admin
  • Review the configurable settings
  • Choose the scenario:

Azure Active Directory

  1. Enable Windows LAPS in your tenant

2. Create and assign an Endpoint Security>Account Protection, Windows LAPS policy in Intune


Here you go! That's everything you need to do to get it working.

Password retrieval & rotation

Local admin credentials can be obtained through the Intune portal on the device (if you have the right permission/role):

Alternatively also found in Azure AD>Devices>Local administrator password recovery

Rotation can also be done on the device object as a remote action:


Active Directory

Before you can start with the implementation in AD you need to set your starting point. Either you didn't have legacy LAPS configured > Greenfield or you already have LAPS > Migration.
The implementation steps are the same, but you have to do some more considerations and tasks for a migration.

  1. Check prerequisites
  2. Update your domain controller
  3. Update the Windows Server Active Directory schema
  4. Grant the managed device permission to update its password
  5. Remove Extended Rights permissions and grant extended rights with "Set-LapsADReadPasswordPermission -Identity OU -AllowedPrincipals AD group"
  6. Optional: Enable auditing with "Set-LapsADAuditing -Identity OU -AllowedPrincipals AD group"
  7. Copy C:\Windows\PolicyDefinition\LAPS.admx and \en-US\LAPS.adml to \\SYSVOL\\Policies\PolicyDefinitions and \en-US
  8. Configure and link a new GPO - Computer Configuration > Policies > Administrative Templates > System > LAPS

Migration from legacy LAPS

There are a few key points to consider when you want to migrate LAPS. Generally, I would advice you to create an additional and dedicated local administrator account for the new Windows LAPS management. This will allow you to maintain legacy LAPS and will not interfere its functionality. (Official source)

Recommendations for cleanup

Any legacy LAPS setup can contain:

Unlink the GPO and delete at a later time.
Extended rights
Find extended rights with "Find-AdmPwdExtendedRights" and remove the special permissions from the OU:

  • Read ms-Mcs-AdmPwd
  • Read ms-Mcs-AdmPwdExpirationTime
  • Write ms-Mcs-AdmPwdExpirationTime


Legacy LAPS agent
Usually only the CSE component was installed, but you can remove the whole LAPS package:

MsiExec.exe /x {EA8CB806-C109-4700-96B4-F1F268E5036C} /qn

Disable account
You also want to disable the account that legacy LAPS was managing. (In case you now have a new dedicated for Windows LAPS) For this, leverage a GPO:


Schema extension
Not recommended to remove the schema attributes from legacy LAPS.



Event viewer

Applications and Services Logs>Microsoft>Windows>LAPS



Policy type Policy registry key root
LAPS CSP (from Intune) HKLM\Software\Microsoft\Policies\LAPS
LAPS Group Policy HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS


Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
Defender Suite
Enterprise security solutions, cloud-based, intelligent and automated security responses for Endpoint, Identity, Office 365 and Cloud Apps. A full protection stack. Defender for EndpointHandle threat and vulnerability events on endpoints to prevent malicious and harmful contents. Microsoft Defender:…
Fundamentals Microsoft security concepts V2Learn about Microsoft’s cloud security concepts to secure your organization with Microsoft 365 and Azure built-in products and features. The way to secure your digital assets such as identities, infrastructures, platforms, apps and data. These are the offic…
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.