Nouveautés de Windows LAPS

What’s new in Windows LAPS?

Microsoft has posted a video in which the Windows LAPS solution is presented. In 2023, this solution will replace Microsoft LAPS as we know and use it today by bringing many new features, including support for Azure AD.

All the new features are presented in the video below.

Today’s Microsoft LAPS

Microsoft LAPS for Local Administrator Password Solution is a free solution that is attached to the Active Directory, the objective of which is to facilitate the management of the password of the local Administrator account of machines integrated into the domain. Therefore, the local administrator account of each machine has a unique password, stored in the Active Directory. This password is renewed regularly.

Since this is an additional feature, it involves upgrading the Active Directory schema and deploying a LAPS client to the machines to be managed, through an MSI package.

The Windows LAPS of tomorrow

In the first half of 2023, Windows LAPS will be available and will gradually replace Microsoft LAPS (for companies that wish). Microsoft LAPS will become the legacy version. This is not just a simple name change for this very popular enterprise product, but truly a new product with additional functions. Some were eagerly awaited.

LAPS pour Azure Active Directory

LAPS will no longer absolutely need an Active Directory to work, as it will be supported by Azure Active Directory. Thereby, the password will be stored directly in the device registered in the Cloud. Devices enrolled in hybrid mode will also be supported.

Configuration settings will be available in the Microsoft Endpoint Manager portal in the form of policies, and this is also where you can request a password rotation (trigger a change). As it concerns the recovery of the password of a device, it will be necessary to use the Azure portal or to rely on Microsoft Graph.

LAPS pour Active Directory

Regarding the integration of LAPS with the Active Directory, there are many changes, in particular thanks to new attributes in the Active Directory schema. Thus, when we consult the properties of a computer object managed by LAPS, we will have access to more information via a “LAPS” tab directly. This should make it possible to do without the LAPS UI tool or to go through the attribute editor.

The LAPS tab will display:

  • The password, which will now be encrypted using DPAPI with keys stored in Active Directory (a great development!)
  • The name of the local administrator account
  • The password expiration date, with the option to change the date or request an immediate change

Here is an overview:

Windows LAPS - Active Directory - Exemple
Source : Microsoft – YouTube – Windows IT Pro

Among the new GPO settings available is the “Post-authentication actions” which allows you to force the reset of the administrator password from the moment it was used.

A new PowerShell module for LAPS

Microsoft has also introduced a new version of the PowerShell module for Windows LAPS. This module is more complete than the previous one, and offers the possibility of recovering the password in the Active Directory or Azure Active Directory (so far, it was possible for AD). Here is the list of commands:

Windows LAPS - PowerShell

L’installation de Windows LAPS

Unlike Microsoft LAPS, the new Windows LAPS will be integrated directly into Windows machines, so there will be no need to deploy the MSI package anymore. Microsoft clarifies that Windows LAPS will support Microsoft LAPS GPO settings, but switching to Windows LAPS will disable the classic solution.

However, there will be integration to be done on the directory service side, whether in Active Directory or Azure Active Directory. For example, on an Active Directory, the command “Update-LapsADSchema” should be executed.

At the moment, Windows LAPS is supported by “Windows 11 Insider Preview Build 25145” and on the Azure Active Directory side, access is limited to a few Windows Insider Program users. Microsoft does not specify if it will be supported by Windows 10, but it will most likely be the case (to see the version required). Eventually, Windows LAPS will be supported on Windows Server as well (including in Core mode).

For more information, you can also consult the official documentation:

What do you think of Windows LAPS?

Logiciel – OS,Sécurité,LAPS,Microsoft,

#Whats #Windows #LAPS

Leave a Comment

Your email address will not be published. Required fields are marked *