Microsoft announced on Monday the general availability of Entra ID and Intune support for its Windows Local Administrator Password Solution (LAPS). As a tool employed to reinforce the security of local administrator passwords, this newer version replaces what Microsoft categorizes as their “legacy LAPS.”
In April, Microsoft rolled out the new Windows LAPS (Local Administrator Password Solution), separating it from the current Download Center LAPS, which is now known as Legacy LAPS. Windows LAPS provides a new experience, offering the same toolset as Legacy LAPS but also new benefits. It is worth noting that Microsoft says the original LAPS will remain in the Download Center and will be known as Legacy LAPS.
Compatibility and Application of the latest Windows LAPS
The introduction of the updated Windows LAPS is applicable to devices supporting Windows 10 and Windows 11 clients, alongside Windows Server 2019 and Windows Server 2022. Its usage is feasible provided organizations employ either Microsoft Entra ID-attached devices or ‘hybrid'-affixed devices encompassing Entra ID and local Active Directory. The release began rolling out as part of Microsoft's regular “update Tuesday” monthly patch publication on April 11, 2023, albeit Entra ID and Intune features were in a less advanced stage at the time.
The Windows LAPS does not require installation as it is incorporated into Windows; however, activation is necessary via policy by administrators. Erected as a preventive measure against “pass-the-hash” and “lateral-transversal” attacks, the Windows LAPS also presents additional advantages such as added security for remote help-desk operations leveraging Intune and an easier device recovery process. The protective solution then extends password encryption and accessibility control list selections via Entra ID, supplemented by password backup, retrieval, and rotation capabilities. Newly introduced are audit logs and a provision for constructing Entra ID role-based access control protocols.
Microsoft's prospective plans for Windows LAPS consist of facilitating the automatic institution of local administrator accounts when devices are suitably configured for Windows LAPS. Shortly to be implemented also include sending notifications via Entra ID when local administrator passwords are used, followed by the provision of just-in-time controls for self-service local administrator password retrievals enacted by device owners.
Azure Active Directory (Azure AD) is now called Microsoft Entra ID. It's not just a new name, but a big upgrade that adds new things and makes it better. For example, Microsoft Entra ID will let organizations use federated identities, which means they can easily work with other organizations and cloud services. The company is expecting to complete the branding switch by next year.