If you are looking for a way to secure and manage the local administrator accounts on your Windows devices, you might be interested in the new Windows LAPS feature released in April 2023. Windows LAPS stands for Local Administrator Password Solution. It is a built-in Windows feature that automatically rotates and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You can also use Windows LAPS to manage the Directory Services Repair Mode (DSRM) account password on your domain controllers.
Windows LAPS is an improvement over the legacy Microsoft LAPS product that was available as a separate download for many years. Windows LAPS offers several benefits, such as:
- Native integration into Windows: You don’t need to install any external package or agent to use Windows LAPS. It is ready to go out of the box and can be updated via the normal Windows patching processes.
- Support for Azure Active Directory: You can use Windows LAPS to back up local administrator account passwords to Azure Active Directory (currently in private preview) and retrieve them via Microsoft Graph. You can also use Azure role-based access control (RBAC) policies to authorize password retrieval and rotation. Additionally, you can manage Windows LAPS settings via Intune.
- Enhanced security: Windows LAPS helps you protect against pass-the-hash and lateral-traversal attacks by regularly changing the local administrator account password and storing it securely in Active Directory or Azure Active Directory. It also allows you to sign in to and recover devices that are otherwise inaccessible, such as when BitLocker recovery keys are lost or when network connectivity is down.
Learn more about LAPS