Windows LAPS 2023: Modernizing Local Admin Password Security for Enterprises

Local administrator accounts have long been a double-edged sword in Windows environments—absolutely necessary for troubleshooting connectivity issues or performing emergency maintenance, yet historically a glaring security weakness due to static passwords and over-privileged access. With the complexity of modern IT landscapes and the increase in cyberthreat sophistication, safeguarding these credentials has never been more crucial. Recognizing both the necessity and vulnerability of local admin accounts, Microsoft has thoroughly reimagined its Local Administrator Password Solution (LAPS), making it a native Windows feature and introducing a compelling suite of advances for organizations determined to tighten their security posture.

Why Local Administrator Passwords Are a Critical Security Issue​

For decades, virtually every Windows device deployed in an enterprise had a built-in local administrator account. The intention was straightforward: provide an emergency backdoor if the machine lost contact with Active Directory (AD) and was otherwise unmanageable remotely. However, this convenience came at a heavy price. If left unmanaged, these accounts became prime targets for attackers using tactics like credential scraping, lateral movement, and pass-the-hash attacks. The lurking danger was not only that local admin passwords were rarely changed, but that they were frequently identical across an organization, meaning a single compromise could spell disaster.
Static, commonly known, or weak passwords in these accounts have exposed organizations to widespread compromise—an attacker who cracks or extracts one could quickly escalate privileges and pivot throughout a corporate network. Periodic manual password rotation is not realistic at scale, especially with cloud-connected, mobile, and hybrid endpoints now the norm.

Enter Windows LAPS: Automating Local Admin Password Management​

Microsoft’s LAPS, originally an add-on, was designed to automate password management of local administrator accounts on domain-joined Windows systems. The idea: generate unique, complex passwords for every device, rotate them automatically on a schedule, and store them securely—traditionally in AD. When an IT admin needed to access a machine locally, they could retrieve the latest credential securely from AD.
This core architecture significantly reduced lateral movement risks and kept credentials from becoming stale. But the legacy LAPS required separate deployment, Group Policy configuration, and would only protect against certain attack vectors. Its limitations became apparent as organizations shifted towards cloud-first management, embraced Zero Trust principles, and started using Microsoft Entra ID (formerly Azure AD).

Windows LAPS Goes Native: A 2023 Security Milestone​

In April 2023, Microsoft fundamentally changed the equation for Windows LAPS, making it a built-in, updatable component of modern Windows client and server OSes. This means organizations no longer need to download or maintain a standalone utility. More importantly, with the April and subsequent updates, Windows LAPS brings advanced capabilities and streamlined deployment, closing many of the gaps that plagued legacy solutions.

Compatibility and Prerequisites​

Windows LAPS is natively supported (with the requisite cumulative update) on a range of modern operating systems:

• Windows 11 23H2, 22H2, 21H2
• Windows 10
• Windows Server 23H2, 2022, 2019, and 2025

Because it’s delivered as part of regular Windows Update, installation and updates are now far easier for IT departments to manage. Microsoft officially deprecated legacy Microsoft LAPS with Windows 11 23H2 in favor of the integrated solution.

Key Enhancements: What’s New in Windows LAPS?​

Windows LAPS isn’t just a port of its predecessor—it’s a ground-up refresh with numerous new features designed to enhance both usability and security. Here are some standouts, verified with official Microsoft documentation and recent industry reports:

1. Automatic Account Management​

While legacy LAPS required administrators to handle account configuration and membership, the new Windows LAPS takes this a step further. In “automatic mode,” LAPS manages several account attributes itself—ensuring the account is a member of the local administrators group, turning off “password not required” and “password never expires” flags, and updating the account’s description to indicate its LAPS-controlled status. This closes loopholes where a misconfigured account could weaken protection.

2. Enhanced Password (and Passphrase) Generation​

Security rests on strong credentials. Windows LAPS can now generate not only complex random passwords but also passphrases. Admins can configure complexity to use long phrases, short words, or unique prefixes, aligning password creation with best practices and compliance standards, or even user preferences for memorability.

3. OS Image Rollback Detection​

One risk with automated credential rotation is the so-called “password mismatch” problem: reverting a device to an older image or Hyper-V snapshot could mean the actual password is out of sync with the stored value. Windows LAPS now detects when such a rollback has occurred and immediately rotates the password, automatically resolving this often-overlooked security flaw.

4. Support for Azure and On-Premises Directory Services​

Legacy LAPS only stored passwords in AD. Windows LAPS, by contrast, allows organizations to store and retrieve local admin passwords from either traditional AD or Microsoft Entra ID (Azure AD). This is a seismic shift for organizations embracing cloud identities, remote work, and modern device management with endpoint solutions like Microsoft Intune.

5. Role-Based Access Control (RBAC) and Encryption​

Windows LAPS supports Azure’s RBAC framework, giving organizations fine-grained control over who can access which passwords. This, plus built-in options for password encryption at rest and password history, offer far more robust protection for sensitive credentials.

6. Directory Services Restore Mode Account Support​

Not only local admin accounts—Windows LAPS can now automate the management and storage of credentials for the Directory Services Restore Mode (DSRM) account on domain controllers, a notorious weak point for AD setups.

Strengths of the New Windows LAPS Model​

There are clear advantages to moving to the Windows-integrated LAPS solution:

• Simplified Deployment: Installation is handled by Windows Update; no more chasing down MSI installers or troubleshooting version mismatches.
• Modern Management Options: Organizations can manage LAPS policies directly via Microsoft Intune for Azure-joined or hybrid devices, or Group Policy for traditional AD environments.
• Granular Security Controls: With RBAC, encryption, and password versatility, organizations can tailor security to their individual needs, regulatory mandates, and risk assessments.
• Automatic, Consistent Protection: Automatic password rotation, complexity enforcement, and rollback detection reduce human error and tighten security across all endpoints.

Potential Pitfalls and Limitations​

However, even with these enhancements, administrators should proceed with awareness:

• No Dual Management: Neither Windows LAPS nor legacy LAPS can manage the same account on the same machine. Organizations in a transition phase must create separate local admin accounts if both tools are to be used simultaneously. This could create confusion, especially in large or loosely governed environments.
• Learning Curve and Change Management: With new options and controls comes the need to retrain IT staff and update documentation and scripts. While a “legacy emulation mode” exists, moving fully to Windows LAPS is recommended.
• Partial Platform Coverage: Windows LAPS supports all modern, supported Windows versions—but organizations with older, out-of-support devices could find themselves exposed if not upgrading promptly.
• Policy Propagation Risks: In hybrid environments, differences in Group Policy, Intune-based management, and infrastructure readiness could result in gaps if not carefully planned.

Migrating from Legacy LAPS: A Stepwise Approach​

Most organizations upgrading to Windows LAPS do so from the legacy LAPS tool. Microsoft recommends a structured process to minimize disruption and maximize protection:

1. Inventory and Readiness Check​

First, identify all computers using the legacy system and verify their OS versions support Windows LAPS. Apply the most recent patches and cumulative updates across the fleet.

2. AD Schema Preparation​

Since Windows LAPS adds new attributes to AD, update the schema using the Update-LapsADSchema PowerShell cmdlet. Always back up Active Directory before schema modification. Assign necessary permissions with Set-LapsADComputerSelfPermission to grant devices the ability to update their own password objects and enable rotation.

3. Choose Migration Approach​

Decide early whether to allow coexistence or do a straight cutover. In side-by-side modes, a separate local admin account is required for each solution—set them up with unique names.

4. Update Group Policy or Intune Settings​

• In Group Policy, enable and configure LAPS settings for Windows LAPS. If disabling legacy LAPS, set its policy to “Not Configured.”
• In Intune, create and assign a Windows LAPS policy from the “Account protection” section under Endpoint Security, specifying platform, backup storage, password complexity, and rotation frequency.

5. Verify Operation​

Use Get-LapsADPassword -Identity <ComputerName> to confirm new passwords are stored correctly for each device. To clean up old, legacy LAPS attributes in AD, use:
Set-ADComputer -Identity "ComputerName" -Clear "ms-Mcs-AdmPwd","ms-Mcs-AdmPwdExpirationTime"
or for bulk removal in an Organizational Unit (OU):
Get-ADComputer -Filter * -SearchBase "OU=Computers,DC=domain,DC=com" | Set-ADComputer -Clear "ms-Mcs-AdmPwd","ms-Mcs-AdmPwdExpirationTime"

6. Monitor and Educate​

Finally, ensure all IT staff know how to fetch and use LAPS-managed passwords with the appropriate tooling (ADUC, PowerShell, or Intune portal), and reinforce clear, secure, and auditable access procedures.

Deploying Windows LAPS: Policy Configuration Options​

Organizations have two principal routes for policy management:

1. Using Microsoft Intune​

Microsoft Intune is now the preferred solution for cloud-managed or hybrid fleets. From the Intune admin center:

• Visit “Endpoint security”, then “Account protection”
• Create a new policy; platform: Windows, profile: Local Admin Password Solution (Windows LAPS)
• Configure password length, complexity, backup directory (AD or Entra ID), and scope tags
• Assign to groups as needed
• Review configuration and confirm creation

This approach offers rapid deployment to remote and cloud-joined devices, including those that seldom or never connect to on-premises AD.

2. Using Group Policy​

Traditional Group Policy remains essential for organizations with many AD-joined devices:

• Import the necessary Windows LAPS administrative templates (ADMX/ADML)
• Enable and configure Group Policy settings for LAPS under the appropriate OU or domain
• Ensure that Group Policy Objects (GPOs) are propagated and applied on schedule

A critical difference is that Intune-based policies can target Azure AD-joined devices direct from the cloud, whereas GPOs still require connection to on-prem AD infrastructure.

Real-World Security Impact: Beyond Password Rotation​

Windows LAPS delivers far more than mere password randomization. Here’s why its deployment represents a significant leap forward for enterprise security:

• Defense Against Credential Theft and Lateral Movement: With unique, automatically rotated passwords per device, attackers can no longer use a compromised credential to move laterally or escalate privileges. This cuts through entire categories of common attack vectors.
• Zero Trust Foundations: Automated credential hygiene is a pillar of Zero Trust, and LAPS reduces reliance on perimeter-based defenses by treating each device as its own trust boundary.
• Auditability and Compliance: Fine-grained access controls and password history retention enable organizations to meet regulatory mandates and pass audits with confidence.

Potential Vulnerabilities and Deployment Risks​

No solution is perfect. These are the areas where Windows LAPS administrators should exercise care:

• Policy Gaps: Overlapping or conflicting policies (from Group Policy and Intune) could produce inconsistent or failed settings deployment.
• Backup Storage Security: Whether storing passwords in AD or Entra ID, it is vital to enforce RBAC and audit policy to ensure only privileged, authorized personnel can retrieve local admin credentials.
• Rollback/Restore Pitfalls: If imaging or VM rollback tools are commonly used, ensure OS image rollback detection is enabled and monitored.
• Script Dependencies: Existing automation using legacy LAPS cmdlets may not function identically with the new schema and infrastructure.

Frequently Asked Questions about Windows LAPS​

Is there a cost to move from legacy LAPS to Windows LAPS?
No, Windows LAPS is a built-in feature for supported Windows OSes, delivered and updated through Windows Update.
Does Windows LAPS work for non-domain-joined devices?
Currently, LAPS requires devices to be enrolled in either AD or Azure AD/Entra ID. Devices outside these scopes are not managed by LAPS, though Microsoft continues to expand cloud management capabilities.
Is legacy LAPS still supported?
Legacy LAPS is technically still supported, but deprecated. Microsoft strongly encourages migration to Windows LAPS as soon as possible.
Are passwords or passphrases stored in plain text?
No—passwords (or passphrases) are stored securely in AD or Entra ID, and access is restricted according to RBAC policies. Encryption options add further protection.

The Future of Local Admin Security in Windows​

Microsoft’s integration of LAPS as a core OS feature aligns with larger trends in identity-centric security and hybrid management. As device fleets grow more distributed, and attacks more sophisticated, the risks of unmanaged credentials only intensify. Windows LAPS, in its modern incarnation, decisively closes one of the oldest and most frustrating gaps in Windows endpoint security.
Yet, strong passwords are only one piece of effective defense. To maximize the benefit of Windows LAPS, organizations should complement its deployment with:

• Privileged Access Management (PAM): Limit who can access passwords with least-privilege strategies.
• Continuous Monitoring and Auditing: Enable logging and alerting on all privileged password retrievals.
• Regular Education and Reassessment: Ensure the solutions remain configured for new compliance frameworks and organizational changes.

Conclusion​

The updated Windows LAPS is a mature, streamlined, and highly effective tool for organizations committed to reducing their attack surface. By automating the hardest parts of local password management—and integrating with both AD and cloud identity—it eliminates a critical class of vulnerabilities while supporting modern, remote, and hybrid work. For IT leaders, the call to action is clear: inventory your environment, plan a careful migration, and leverage Windows LAPS for tighter, more resilient endpoint security. But as with all security technology, its real-world value hinges not just on features, but on disciplined implementation, ongoing vigilance, and an organizational commitment to least-privilege access and continuous improvement.

---

Source: TechTarget How to deploy Windows LAPS for tighter security | TechTarget