Have you ever wondered how to secure and manage the local administrator accounts on your Windows devices? Do you want to prevent attackers from exploiting weak or shared passwords to compromise your network? Do you need a way to access and recover your devices in case of an emergency? If you answered yes to any of these questions, then you should read this article about Windows LAPS, an old Windows feature made new again that can help you achieve all these goals and more!
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You can also use Windows LAPS to manage the Directory Services Restore Mode (DSRM) account password on your domain controllers. This feature helps you improve your security posture by preventing pass-the-hash and lateral-traversal attacks, as well as enabling remote help desk scenarios and device recovery.
[Picture: Windows LAPS logo]
If you are an IT administrator or a security professional, you should care about Windows LAPS because it offers you several benefits over using a common or static local administrator password across your devices. Some of these benefits are:
- You can enforce regular password rotation and complexity policies for your local administrator accounts, making them harder to guess or crack by attackers .
- You can store the encrypted passwords in Azure AD or AD, where only authorized users can access them using Microsoft Graph or PowerShell .
- You can use Azure RBAC policies and Intune to control who can retrieve and rotate the passwords, as well as monitor their usage and expiration .
- You can sign in to and recover devices that are otherwise inaccessible, such as offline, corrupted, or BitLocker-protected devices .
[Picture: A screenshot of retrieving a password from Azure AD]
To use Windows LAPS, you need to have the following prerequisites:
- Your devices must be running Windows 11 Pro, EDU, or Enterprise; Windows 10 Pro, EDU, or Enterprise; Windows Server 2022; or Windows Server 2019 with the April 11, 2023 update or later installed .
- Your devices must be joined to Azure AD or Windows Server AD .
- You must have an Azure subscription and Intune for managing your cloud-based devices .
- You must have the appropriate permissions to configure and retrieve passwords in Azure AD or AD .
Once you have met these prerequisites, you can follow these steps to use Windows LAPS:
1. Enable Windows LAPS on your devices by using Intune for cloud-based devices or Group Policy for on-premises devices .
2. Specify the local administrator account name and password policy settings that you want Windows LAPS to manage .
3. Wait for Windows LAPS to automatically rotate and back up the passwords on your devices according to your policy settings .
4. Retrieve the passwords from Azure AD or AD when you need them by using Microsoft Graph or PowerShell .
5. Optionally, force a password rotation on a device if you suspect a compromise or want to change the password immediately .
[Picture: A flowchart of using Windows LAPS]