Windows LAPS is a feature in Windows that enables administrators to automatically backup and manage the password of a local administrator account on your Windows client or server devices, joined to Active Directory or Microsoft Entra ID.
One challenge that has always been prevalent was whether admins should manage the built-in Administrator account on their client devices or to create a new account to be managed with Windows LAPS. Those who decide to create a new account must decide on how to do that, whether it be by using the Accounts CSPs in Microsoft Intune, have it baked into a Windows image, or even created by Powershell script, they all come with a set of technical and security challenges.
On January 26 2024, the Windows 11 Insider Preview Build 26040 was released on the canary channel which posed to solve some of these account creation challenges, but implementing improved account management features for Windows LAPs. These include being able to:
- Automatically create the managed local account.
- Configure the name of the managed account.
- Enable or disable the account.
- Automatically randomize the name of the account.
- Improve the readability of LAPS passwords using better passphrases.
- Improve the post-authentication actions.
Learn how to enable Automatic account management for Windows LAPS using Microsoft Intune in my article: How to Enable Automatic Account Creation for LAPS in Intune
Today (1st October 2024) Microsoft has announced the release of Windows 11 24H2, also known as the Windows 11 2024 update which includes the GA release of this new Windows LAPS features. More information on whats included in the Windows 11 24H2 update can be found here.
If you are interested in getting started with setting up Windows LAPS, check out some of my recent articles: