Microsoft has announced a public preview of Windows LAPS with Azure Active Directory (recently renamed Microsoft Entra ID). The new long-awaited feature enables IT admins to rotate and backup passwords using Azure Active Directory.
Windows Local Administrator Password Solution (LAPS) is a tool that enables IT admins to automatically manage and back up passwords for local administrator accounts. Previously, Windows LAPS was only available as a standalone solution for enterprise customers.
Microsoft has recently unveiled that the tool is now natively integrated into Windows and Windows Server devices. The native version brings support for automatic password rotation, password history, and password encryption. It helps to minimize the risk of password theft as well as Pass-the-Hash (PtH) and lateral traversal attacks.
With this release, Microsoft is making Windows LAPS available for Azure AD joined and hybrid Azure AD joined devices managed by Microsoft Intune. It enables IT admins to store passwords in Microsoft Azure, recover them, and configure settings via Microsoft Intune. It’s also possible to view audit logs, create Azure AD role-based access control (RBAC) policies, and configure Conditional Access policies.
“Windows LAPS has been revamped to integrate into the Windows platform to securely rotate and backup passwords using Microsoft Entra, Azure Active Directory (Azure AD). IT admins can use the first-class management experiences built into Intune to configure Windows LAPS and leverage the capabilities that are now available,” the Intune Support team explained.
To get started, customers will need an Azure Active Directory and Microsoft Intune subscription. IT admins should also ensure that the latest April cumulative update is installed on Windows 10 or 11 devices. We invite you to check out a full list of prerequisites on this support page.
Microsoft notes that Windows LAPS with Azure Active Directory capabilities are available in preview for customers with Azure AD free or higher licenses. Currently, the feature only supports Windows devices that are joined to Azure AD or Hybrid Azure AD. It’s not available for use with Azure AD-registered devices and non-Windows platforms. You can read our detailed guide explaining how to configure Windows LAPS in an Active Directory scenario for more details.
Microsoft has recently confirmed that the native version of Windows LAPS is causing interoperability issues with legacy LAPS. The company is working on a fix, and it recommends customers to either uninstall legacy LAPS or delete all values available under the HKLM\Software\Windows\CurrentVersion\LAPS\State registry key.