How to Deploy Windows LAPS – [Step-by-Step]

Windows LAPS is a Windows feature that allows you to automatically set and backup local administrator passwords of your domain-joined devices. LAPS (Local Administrator Password Solution), creates a unique and random password for each device in your network and stores it in the Active Directory or Azure Active Directory.

Windows LAPS is the successor of the legacy Microsoft LAPS, which has been available for the past years. The new Windows LAPS comes with more features and is now built into Windows 10 and 11. So we don’t need to install a client on the computers anymore.

In this article, we are going to take a look at the difference between Microsoft LAPS and Windows LAPS, how to install and configure the new LAPS, and how to migrate from legacy LAPS to Windows LAPS.

What is Windows LAPS?

You can easily change the password of your domain administrator account, but what about the local administrator account? The password of the local admin account is often set during installation, but you can’t easily change it on all computers. This is where Windows LAPS comes in. LAPS stands for Local Administrator Password Solution.

With LAPS we can automatically set unique local administrator passwords on each computer, which are stored in the Azure Active Directory or in your local Active Directory. The password is automatically changed every 30 days by default. Windows LAPS can also be used to manage and back up the DSRM (Directory Services Restore Mode) password of your Active Directory.

Microsoft LAPS vs Windows LAPS

Windows LAPS is the successor of Microsoft LAPS, which has been available for many years. So what are the differences between the two versions? The most important change is that the new version is built into Windows. This means that we don’t have to install an MSI anymore on the clients. But there are more advantages:

  • Store password in Azure AD – Easier to retrieve password
  • Password History – View previous passwords, useful for recovery scenarios
  • Encrypt passwords – Improves security in local Active Directory
  • Automatically rotate password – Reset password after the account is used
  • View with Microsoft Graph – You can retrieve the passwords with Microsoft Graph
  • DSRM Password Backups – Secure and rotate the domain controller recovery password
  • New PowerShell Module – Gives you more control through PowerShell
  • Dedicated event log – Makes it easier to troubleshoot issues

Requirements

To use Windows LAPS you will need to make sure that your computers and servers have the latest security update, from April 11, 2023, installed. The following operating systems are supported:

  • Windows 11 Pro, EDU, and Enterprise
  • Windows 10 Pro, EDU, and Enterprise
  • Windows Server 2022
  • Windows Server 2019

Make sure that all your domain controllers are fully updated before you start with the installation.

How to Install Windows LAPS

If your devices are managed with Intune, then it’s recommended to roll out LAPS using the Windows LAPS configuration service providers. When you don’t use Intune, then you can still deploy LAPS, using your local Active Directory.

I will explain both methods, starting with the local Active Directory.

Deploy LAPS on local Active Directory

This method can be used when you have a complete on-premise environment and for hybrid environments where your local Active Directory is synced with Azure Active Directory.

Step 1 – Extend AD Schema

The first step is to extend the Active Directory schema. We do this on one domain controller, which then will automatically sync the new schema to the other domain controllers in your forest.

To update the AD Schema, open PowerShell (Admin) on the domain controller and run the following command:

Update-LapsADSchema

Press A (Yes to all) on the question if you want to proceed. If you get an error running the Update-LapsADSchema command, then check the FAQ at the end of the article for possible solutions.

We can verify the Active Directory schema extension by opening a computer object in the Active Directory. You will now see the new LAPS tab.

Windows LAPS
Windows LAPS

Step 2 – Set Permissions

The computers need to have permission to update their password in the Active Directory. We do this by setting inheritable permissions on the OU of the computers with the help of the Set-LapsADComputerSelfPermission cmdlet in PowerShell.

We will need to specify the OU name, if the name isn’t unique in your Active Directory, then you will need to specify the DistinguishedName.

Set-LapsADComputerSelfPermission -Identity "Computers"

# Or with the full distinguishedName:
Set-LapsADComputerSelfPermission -Identity "OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl"

Step 3 – Configure LAPS Group Policies

To configure LAPS we will need to create a new Group Policy.

  1. Open the Group Policy Management on the domain controller
  2. Create a new Computer Policy (CPO_LAPS) in your computer OU
  3. Edit the new policy and navigate to Computer Configuration > Policies > Administrative Templates > System > LAPS
LAPS Policy

Note

If you don’t see LAPS under Administrative Templates > System then copy the ADMX files from C:\Windows\PolicyDefinitions to your central store :\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions
  1. Open Configure password backup directory and set it to either Active Directory or Azure Active Directory. Make sure that your device is managed in the AD that you select.
  1. Open Password Settings and enable the setting. Optionally change the configuration.
  2. (Optional) Open Name of administrator account to manage, enable it, and set the account name to LAPSAdmin. If you don’t configure this setting, then the built-in Administrator account will be used.

There are a couple of other settings that you might want to enable. I recommend enabling at least the setting Post-Authentication actions. This setting is triggered when the LAPS password is used. It will reset the password and optionally logoff the managed account after for example 8 hours:

If you create snapshots from your computers then it might be interesting to enable the password history setting. This will store the last 12 passwords in the AD, allowing you to log in with the local admin account when restoring an old snapshot. To use this setting you will need to enable password encryption as well.

Step 5 – Create a local admin account

The new Windows LAPS feature doesn’t create a local admin account automatically just like the legacy LAPS did. The easiest option is to use the built-in Administrator account and don’t configure a unique admin account for laps.

But if you still want to use a dedicated account, then you will need to create a new local admin account with PowerShell for example. We can add the following PowerShell script to the start-up scripts in the Group Policy (Computer Configuration > Windows Settings > Scripts > Startup)

If ($null -eq (Get-LocalUser -Name "lapsadmin")){
  New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'TempPassword123!') -Name 'lapsadmin' | Add-LocalGroupMember -Group administrators
}

Step 6 – Verify Settings

To verify the settings we will need a Windows 10 or 11 device with the latest updates installed. We first need to pull the latest policy settings to the device, so that the LAPS password is created and written back to the Active Directory. You can either run the GPUpdate command or the special LAPS Policy cmdlet Invoke-LapsPolicyProcessing:

Invoke-LapsPolicyProcessing

After the policy is retrieved, we can verify the LAPS password in the Active Directory. Look up the device and open the properties. If you open the LAPS tab you will see the LAPS password:

Retrieve LAPS Password
Retrieve LAPS Password

Manage LAPS with PowerShell

The Windows LAPS PowerShell module is now included into Windows. This means that we don’t have to import a new module to manage LAPS with PowerShell. I won’t go through all cmdlets (you can find the complete list here), but we will discuss the most important ones.

We can use the cmdlet Get-LapsADPassword to view the LAPS password. Make sure that you add the parameter -AsPlainText to actually view the password.

Get-LapsADPassword -Identity la-win11-lab04 -AsPlainText


ComputerName        : LA-WIN11-LAB04
DistinguishedName   : CN=LA-WIN11-LAB04,OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl
Account             : lapsadmin
Password            : WQ3rjA1.%0]z];
PasswordUpdateTime  : 4/25/2023 7:50:36 PM
ExpirationTimestamp : 5/25/2023 7:50:36 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : LAZYADMIN\Domain Admins

Now I recommend to configure the policy to automatically reset the password after it’s used. But we can also reset (rotate) the password with PowerShell. This cmdlet needs to be run on the endpoint, or you will need to run the command remotely with Invoke-Command

Reset-LapsPassword

# Run it on a remote computer
Invoke-Command -ComputerName LA-Win11-Lab04 -ScriptBlock {Reset-LapsPassword}

View LAPS Password Permissions

To view the password with PowerShell, you will need to have LAPS password read permissions on the OU of the computers. Domain Admin has this permission by default, but you might want to give your helpdesk admins read permissions as well.

We can add the permissions with the  Set-LapsADReadPasswordPermission cmdlet in PowerShell. You will need to specify the OU and User or Group that you want to give access:

Set-LapsADReadPasswordPermission -Identity "OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl" -AllowedPrincipals "Helpdesk Admins"

# Or add multiple users at once:
Set-LapsADReadPasswordPermission -Identity "OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl" -AllowedPrincipals @("alexw@lazyadmin.nl", "helpdesk@lazyadmin.nl"

To verify the permissions you can use the cmdlet Find-LapsADExetendedRights:

Find-LapsADExetendedRights -Identity "OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl"

Deploy LAPS with Intune

If your devices are managed through Intune then you can also deploy Windows LAPS with Intune. We don’t need to install anything, we only need to create a new policy for our endpoints in Intune. Before we start we will need to make sure that LAPS is enabled in Azure AD:

  1. Open portal.azure.com
  2. Click on the Azure Active Directory
  3. Open Devices > Device Settings
  4. Enable Azure AD Local Administrator Password Solution (LAPS)
  5. Click on Save

With LAPS enabled in Azure AD, we can now create the new policy:

  1. Open Endpoint Manager (Intune)
  2. Go to Endpoint Security > Account Protection
  3. Create a new policy
  4. Select the platform Windows 10 and later and the profile Local admin password solution
Windows LAPS Intune
Windows LAPS Intune
  1. Give the profile a name, for example, Windows LAPS
  2. In step 2 we will need to configure the following settings at least:
    • Backup Directory > Backup the password to Azure AD only
    • Password Age Days > 30
    • Password Complexity > Choose one of the options
    • Password Length > Default is 14, you can change it. Minimum is 8
    • Post Authentication Actions > Set to Reset password and log off the managed account.
    • Reset Delay > 8 hours
  1. You can skip the Scope tags
  2. Assignments > Add a group with devices on which you want to deploy Windows LAPS
  1. Review the settings and create the new policy

After you have created and assigned the policy it can take some time before it’s deployed to all the endpoints. You can force the synchronization of the policy in the Intune Admin center by opening a device and clicking on sync.

To view the progress of the rollout, you will need to go back to Endpoint Security > Account Protection, open the newly created policy, and click on View Report.

Viewing the LAPS Password

We have a couple of options to view the LAPS password of devices. The most convenient way is to open either Azure AD or Intune (Endpoint Manager). Another option is to use PowerShell with Microsoft Graph to retrieve the passwords, but that requires some configuration before you can use it.

To view the passwords in the Azure AD, open Devices and click on Local Administrator password recovery. This will give you a list of all devices where LAPS is active and allows you to show the password.

View LAPS Password in Azure AD

You can also view the password by first opening the device in Azure AD. The other option is to use Intune (Endpoint Manager). If you navigate to the device and open it, you will see Local Admin Password in the sidebar. Click on it to show the local administrator password:

View LAPS password in Intune

Migrate Microsoft LAPS to Windows LAPS

When you have the old Microsoft LAPS (legacy LAPS) already running in your environment, then you can easily migrate to the new Windows LAPS. Important to note is that we can re-use the LAPS admin account name, we are basically going to set up Microsoft and Windows LAPS side-by-side. If everything runs great in the new version, then we can remove the legacy LAPS.

Step 1 – Deploy Windows LAPS

Install Windows LAPS with the steps described above, extending the AD schema, setting permissions, and configuring the policy. In the policy, make sure that you use a unique local admin account name, for example, lapsadmin2.

Step 2 – Add the local Admin Account to your Devices

We will need to manually create the new local admin account on the devices. You can use the same PowerShell script as described earlier:

If ($null -eq (Get-LocalUser -Name "lapsadmin2")){
  New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'TempPassword123!') -Name 'lapsadmin2' | Add-LocalGroupMember -Group administrators
}

Step 3 – Test the new Windows LAPS

You can run the new Windows LAPS side-by-side with the legacy LAPS to test the new solution.

Step 4 – Remove the Legacy LAPS

If the new solution is running as expected, then we can start with removing the legacy LAPS from the clients. Uninstall the Microsoft LAPS client from the devices, remove the old LAPS Admin account and remove the old policies.

Troubleshooting LAPS issues

Policies are always a bit hard to troubleshoot. For LAPS we got a couple of options to debug any problem that comes up. The first step would be to check the event viewer. You can find all events related to LAPS in the event viewer under Applications and Services > Microsoft > Windows > LAPS:

If you are using Intune for the deployment of Windows LAPS, then you can also view the report in the Intune Admin Center (Endpoint Manager). Open the policy in Endpoint Security > Account Protection and click on View Report.

Another option is to generate a diagnostics report with PowerShell. Run the cmdlet Get-LapsDiagnostics on the endpoint to generate a report. In the export, you will find an event log and CSV file will all the events related to LAPS.

FAQ

Update-LapsADSchema – The user has insufficient access rights.

To extend the AD Schema, you will need to be a member of the Security Group Schema Admins which you can find in the Active Directory. Make sure that you log off / on after you added the account to Schema Admins.

Update-LapsADSchema is not recognized

Make sure that you have installed the latest updates on your Windows servers and restarted the server after updating.

Error – Local admin password solution is not enabled for this tenant

You will need to enable LAPS in your Azure Active Directory. In the Azure Active Directory open Devices > Device Settings and enable Local Administrator Settings. This error is also listed in the event log under event id 10059

Wrapping Up

The new Windows LAPS is a great improvement over the older Microsoft LAPS solution. Everything you need is now built-in to the latest Windows build, making it a robust solution. The implementation of the new version is pretty easy, especially if you are using Microsoft Intune (Endpoint manager).

I hope this article helped you with implementing the new LAPS. If you have any questions or tips, just drop a comment below.

52 thoughts on “How to Deploy Windows LAPS – [Step-by-Step]”

  1. I have successfully deployed LAPS via Intune, but I cannot deploy it to a subset of devices that are not in Inture/do not have Intune-licensed users logged into them. These are about 10-20 devices logged in with service accounts. What is the best method of deploying LAPS to these? I’m in a hybrid ADConnect scenario. Would it be best to run Windows LAPS via GPO in my on-prem AD side by side with Intune LAPS? Or should I login once to each of those devices with an Intune licensed account so that they enroll in Intune?

    • The advantage of enrolling them in Intune is that you can also easily keep the device up to date or deploy packages to it. But if that is not needed, or you don’t have the licenses for it, then deploying it with a GPO is the best option I think.

  2. I know that Windows 2012 is not supported for actually setting the local admin password on those devices. But what if I have one Windows 2012 R2 Domain Controller that has all the MS Updates and two other Windows 2019 DCs. Will I still be able to extend the Schema and fully use Group Policy to push out LAPs to the Win 10/11 workstations in the network? I saw that the encryption options require domain functionality to be 2016 or higher but otherwise will the new Windows LAPs work in this network with this 2012 R2 DC still around?

  3. Hi,

    Does anyone knows if it’s possible to enable LAPS in the cloud and still use LAPS on-prem, side by side ?
    Like, can I test the cloud LAPS while my infra is still with LAPS on-prem ?! I don’t see why it wouldn’t work, I just find strange that the cloud LAPS has to be enable then ?!

    Thanks,
    Sizicks

  4. Hi I checked it once again (just as you mentioned in step 3) but still I see just 4 options in the policy instead of 9. Don’t understand it. Do you?

  5. Hi Rudy, I copied the laps admx files to the central store. Do I also need new admx files for windows 11 22h2 (or 23h2)? Admx files of laps are dated 23112023.

  6. Hello, thanks for the guide.
    If I still have legacy servers on 2003/2008/2012/2016 in my environment (I know we need to move away from this!!) does the Windows LAPS apply the policy to this and sets the new admin password? Or it wont work. By the way our domain controllers are in Server 2022.

  7. I started out with your first LAPS guide because i didn’t see this updated one till i hit the comments at the end. I’m trying to modify the Group Policies i’ve already created after doing the steps prior to that. Under Computer Configuration>Policies>Administrative Templates>LAPS I only see the 4 original Settings to modify – password settings, name of administrator account to manage, do not allow password expiration time longer than required and enable local admin password management. I am missing the other settings that should be listed there. How to I get to those new settings – enable password backup, configure size of encrypted history, etc? Also, i still have 2012, 2012r2 and 2008 servers in my domain. Will the new LAPS manage those? If not, what do i do? As i said… I already started following the first few steps on this guide till i found the settings within the previous GPO are missing.

    • The older servers won’t be managed. So if you want to support those as well, you will need to stick with the lecacy version.

      The missing settings is often due to not using the correct ADMX file.

  8. Hi I have 3 dc’s (2×2016 and 1×2022) all of them are on domain level 2016. I followed your instructions as good as I could. However, when I open the GPO I only see 4 options to edit instead of 9. For example, I miss the option Configure password backup directory. What am I doing wrong? I don’t get it.

  9. Hi Rudy,

    first of all thank you for sharing this great guide to the public.

    I have deployed laps witouth problems, I also used the script to create the lapsadmin The script creates the user but doesn’t add the user to the administrator group.

    Is this happening because we have some clients notebooks in german and italian?
    Do you know why the user is not added do the local administrator group?

    Thank you in advance.

  10. I appreciated the guide! Though i’ve deployed to my domain controllers. When updating the schema using the PowerShell command, it did to my one DC (the LAPS tab shows up), but my other DC doesn’t have that tab yet. Am i supposed to wait for replication? or is it going to be installed on just the one DC? Am I able to update on the other one so both have that LAPS tab?

    apologies for the multiple questions, just happened to stumble across this and nobody has pointed this out.

      • Yes! Since the time of this comment posted, i noticed. The issue was I was using RSAT tools that wouldn’t show this new LAPS tab. I’m trying to see if a newer version would have this. otherwise, i wil just resort to the DC’s in providing this info (or running powershell commands). Thanks again!

  11. Hi, first things first: Thanks for your guide!!
    My question is: Is it possible to use the “set-lapsadcomputerselfpermission” for more than one OU at once? We’ve got the following structure:
    -root
    – IT Department
    – subdivision 1, sub 2 , sub 3 , sub… , sub 9
    Setting every Subdivision manually is too much of an overhead. I’d like to set the permission to the IT Department OU and all sub-OUs will get the setting, too. Is this possible or do i need to do it on every OU manually?

  12. I have implemented LAPS but i have observed LAPS agent keep changing password even if domain controller is not reachable from endpoint computer resulting changed password not getting updated in AD. how can i prevent changing Admin password if domain controller is not reachable.

    Thanks…

  13. Firstly , thanks for this post.
    My question is, server 2019 up to date but all client not same veersion (win 10 20h1, 1809 v.s)
    should i apply the with gpo deploy method but then what about the 22h2 version?
    can you advice me, please?

  14. Hello,
    can you set more than one GPO with different scopes (OU) and admin account names? We used to have different admin account names based on OU, that’s why I’m asking. Thanks.

  15. Hello,

    I implemented Windows LAPS using Azure AD.
    My question: How can I remove the account protection policy on a machine ?
    The machine is not more in the account protection policy and LAPS is still working with the old policy.

    Thanks for the help

    • You can uninstall the LAPS client and/or remove all registry keys under:

      HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key

  16. Hi Ruud, really good post.Thanks

    I am goint to implement it, but I would like to have a test envoiroment and test it with a few computers. How dou you think that i could to this?
    I thought int two options to do it, but how would you do it?

    First option is after extend shema, use the command Set-LapsADComputerSelfPermission only in a specific OU with test computers, but i would be able to use that command again many times as i would in others OUs?

    Second option is apply Set-LapsADComputerSelfPermission to main OU with all computer but condigure GPO only in test OU.

    How would yo do it to have a safe test enveiroment? Do you know anything critical that we shoul not do to broke evrithing?Thanks

    • When I was testing it, I applied the GPO only to my test OU and also only set the ComputerSelfPermission on the test OU.

      The most important thing to check if you can retrieve the laps password and if the built-in local admin account is disabled.

  17. Hello,

    We deployed Windows LAPS and it works as it should, but one thing is not ok as should.
    We set GPO policy and set group for reading password and apply on OU. Group wich we set in policy to read password can not read. It not works until we set via powershell rights via cmdlet Set-LapsADReadPasswordPermission on selected OU.
    If i look in diag for user who is in group of allowed reader I recived it:

    Search succeeded with 1 returned attributes:
    mslaps-passwordexpirationtime
    Processing attribute: mslaps-passwordexpirationtime
    EndProcessing started
    Endprocessing completed

    Domain admin has it:

    Search succeeded with 2 returned attribute:
    mslaps-passwordexpirationtime.
    mslaps-encryptedpassword
    Processing attribute: mslaps-passwordexpirationtime
    Processing attribute: mslaps-encryptedpassword.
    Successfully translated sid ‘…….
    Successfully decrypted inner password buffer.

    Shouldn’t the GPO’s over policy be enough?

      • But then for what purpose do you set in GPO: Configure authorized password decryptors ?
        It comes out that only informative, because the permissions should be added manually on the OU.

  18. Windows Server’s aren’t managed in Intune, so I would assume these systems will have to be managed by Active Directory GPO, yes? Or is there some magic that happens behind the scenes to get these policies applied to Windows Server 2019+ via Intune?

  19. We have the new LAPS policy enabled and working. But in the GPMC we still see the LEGACY LAPS policies. And they are a level higher than the Windows LAPS policies. This is confusing. Is there a way to remove the LEGACY LAPS settings from the GPMC

  20. Hello
    Thank you for your post
    We use LAPS Legacy with a GPO
    The build account administrator local is configured for LAPS Legacy
    When we will install the april KB, I will uninstall LAPS Legacy and Windows LAPS will use for change the same build account administrator local
    Is it OK?
    Best regards
    Bonnou

  21. 1. Will the new LAPS work with a Windows Server 2016 domain functional level?
    2. I also have one 2012 and a couple legacy 2008 servers, I’m wondering if it will work with those? I assume not. Everything else I have is 2019, 2022, Win10 and Win11.
    3. I see the new LAPS group policy settings get installed to Computer Configuration > Policies > Administrative Templates > System > LAPS. My legacy LAPS group policy settings are in the exact same location. Will it overwrite it or merge together when I install and run side-by-side?
    Thank you!

    • 1. Server 2016 is not supported
      2. Indeed, 2008 and 2012 (and 2016) are not supported
      3. The old setting will be moved to Computer Configuration > Policies > Administrative Templates > LAPS

  22. I have the legacy LAPS solution in place in my environment configured with a unique local admin account name, and disabling the local Administrator accounts. How can I run the new LAPS and legacy LAPS side by side using the same local admin account as you state here? Seems like I’d have to create a new local admin account to use for the new LAPS.

  23. I have enabled LAPS via AZURE yet I cant see the passwords though it says the serives has been pushed, Any Ideas?I believe I have all of the proper access. I am a gloabal admin for one. Also thak you for thew well written Articles.

    • It can take some time until the client has update the policy locally. A reboot might help sometimes.

      Also, make sure that the client is fully updated

  24. What do you suggest if your organization wants to use a new local administrator account rather than the built-in “administrator” account? LAPS itself doesn’t create the new account, so would you use proactive remediation to first create the new account? Or is there another way?

    • Best option is to use the PowerShell script and a GPO to create a new local administrator account on the clients. You can create the account later, it doesn’t have to exists when you deploy the LAPS policy.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share