How to Deploy Microsoft LAPS

Securing privileged accounts is of utmost concern to cybersecurity professionals, and Entra ID, Microsoft’s identity and access management service, forms the backbone of the majority of organizations.

Microsoft Entra ID centralizes user accounts, computers, and resources, ensuring access control, and local administrator accounts wield substantial power within Windows systems. Mismanaging these passwords can lead to severe security breaches, and such passwords demand meticulous protection to prevent unauthorized access.

If you prefer a video explanation of this guide, watch How to Deploy Windows LAPS.

What is Windows LAPS?

WIndows Local Administrator Password Solution (LAPS) is a built-in Windows feature that aims to address the vulnerability of local admin passwords by ensuring they are secure, randomized, and unique. Passwords are automatically generated and are both complex and unique for the local admin accounts on each computer, enhancing their security.

This guide’s aim is to equip you with the knowledge and practical skills needed to deploy and utilize Windows LAPS effectively. By the end of this journey, you will understand the importance of secure password management in Active Directory environments and have the expertise to implement LAPS as a robust solution.

Windows LAPS vs. Microsoft LAPS

Windows LAPS succeeds the legacy Microsoft LAPS, which has now been blocked on newer OS versions. As of writing, Microsoft LAPS is still supported; however, this will only continue for a limited time.

Why use Windows LAPS?

LAPS provides a means to centrally manage local admin passwords, and doing so has three key advantages:

LAPS security

LAPS’ core value lies in its transformation of the way local administrator passwords are treated. This fundamental shift fortifies the security posture of organizations by eliminating the risk of password reuse and minimizing the blast radius of a password compromise in the following ways:

• Randomized, unique local admin passwords: LAPS ensures that each local administrator account on every computer in your organization has a unique, complex password. These passwords are regularly rotated, reducing the risk of unauthorized access.
• Enhanced security posture: By removing the predictability of local admin passwords, LAPS mitigates security threats associated with password reuse and theft. It provides a crucial layer of defense in the event of credential theft attacks.

Regulatory compliance

Many regulatory frameworks require organizations to implement secure password and compliance management practices. LAPS aligns with these requirements, ensuring compliance with standards like HIPAA, GDPR, and PCI DSS.

Streamlined password management in Active Directory environments

Managing local administrator passwords across a vast number of computers is a massive task that traditionally called for significant effort. LAPS simplifies this process by employing IT automation for multiple processes, including  the generation, rotation, and secure storage of these passwords within Active Directory.

Pre-requisites and system requirements for LAPS

Before looking at the installation and configuration of LAPS, it is important to ensure your environment is suitable for a deployment. Areas to consider include:

• Supported Windows versions: LAPS is compatible with Windows clients and servers – minimum versions supported are Windows 11 and Windows Server 2019.
• Microsoft Entra ID compatibility: LAPS relies on Microsoft Entra ID  for password storage and retrieval, thus the clients you seek to manage must be connected to an Active Directory domain. 

• Required permissions and roles for LAPS deployment: To deploy LAPS, you must have permissions in Active Directory to modify Group Policy setting, as well as the permission to update AD objects.

• Domain function level: If your domain function level (DFL) version is earlier than 2016, you won’t be bale to enable the Windows LAPS password encryption. Keep your OS up to date to keep everything running smoothly.

How to deploy LAPS

If you are running Windows 11 or higher, LAPS should already be a native part of Windows, and you won’t need to install it manually. Follow the stages below to successfully deploy LAPS in your environment:

Download the LAPS software

You can download the LAPS software from Microsoft’s official website to ensure that you are acquiring the most up to date version. Always verify the source of the LAPS software to prevent downloading from untrusted or malicious locations, and virus scan the download before executing.

Verifying the installation

It is good practice to confirm that LAPS is functioning correctly and that the required Active Directory schema extensions have been applied. Test the retrieval of local administrator passwords to ensure their availability.

Enabling Windows LAPS with Microsoft Entra ID

You can manage Windows LAPS using Microsoft Intune to make enabling it through Entra ID easier. However, you can opt to deploy LAPS manually instead. To do so:

1. Sign in to the Microsoft Entra admin center as a Cloud Device administrator or higher.
2. Go to Entra ID > Devices > Overview > Device settings.
3. Find the Enable Local Administrator Password Solution (LAPS) setting, then click Yes. Alternatively, you can use the Microsoft Graph API Update deviceRegistrationPolicy command to do this.
4. Set up a client-side policy and configure the BackUpDirectory.
   • If you are a Microsoft Intune user, manage windows LAPS policies via Intune.
   • If you are a Group Policy (GPO) user, you can configure LAPS settings using Group Policy.

Deploying LAPS in Active Directory

💡NOTE: If you are only planning to backup your passwords to Microsoft Entra ID, you won’t have to configure the Active Directory.

Configuring LAPS in your Active Directory environment requires the definition of Group Policy settings, specifying the locations where passwords will be stored, and determining password policies. Group Policy is used to deploy the LAPS management tool to computers, as well as to define how frequently passwords should be rotated.

To set up LAPS in Active Directory:

1. For Group Policy Central Store Users, copy the Group Policy template files to the central store manually.
2. Configure Group Policy settings to:
   • Specify password storage location
   • Set password rotation frequency
   • Deploy the LAPS management tool to devices
3. Create a new Windows LAPS policy targeting the managed devices.

Best practices for using LAPS

Follow the best practices below for a secure and effective LAPS deployment:

• Setup policies and tracking: Implement audit policies to track password retrieval and usage. This allows you to monitor and review LAPS activity, which is essential for security and compliance purposes.

• Configure access controls: Stored local administrator passwords are a valuable target for attackers. Implement access controls and encryption mechanisms to protect these passwords from unauthorized access.

• Schedule maintenance and updates: Keep LAPS up to date with the latest releases and security patches. Regularly review and update the LAPS configuration to align with changing security requirements.

• Troubleshoot common issues: Familiarize yourself with common issues that can arise during LAPS deployment and usage. Troubleshooting these issues ensures that LAPS continues to operate smoothly.

Safeguard Windows environments with LAPS

LAPS goes beyond protecting local administrator passwords, fortifying the security of your organization. Implement Windows LAPS and safeguard your Windows environment from unauthorized access while maintaining compliance with regulatory standards.