Windows LAPS is getting better
Windows Local Administrator Password Solution (LAPS) introduced last year features that enhance the management of local administrator accounts. These settings are not at the moment visible in the GUI but I think its worth using the CSP until then, since I really like the automatic account management and the new setting for password complexity. These settings require Windows 11 to be on 24H2.
LAPS offers two primary account management modes:
- Manual Account Management: This default mode requires IT administrators to handle all configuration aspects of the targeted account, except for the password, which Windows LAPS manages. You can choose to manage either the built-in Administrator account or a custom account, which must be created prior to enabling Windows LAPS. This is something you need to handle outside of the LAPS policy. In this mode, only the password is protected against tampering; other configuration changes are permitted.
- Automatic Account Management: In this , LAPS oversees all configuration aspects of the targeted account, including its creation and deletion. You can opt to manage the built-in Administrator account or specify a custom account which I would recommend. For custom accounts, it’s possible to define parameters such as the account name and enabled/disabled status.
The system ensures that the account is a member of the local Administrators group, does not require a password change at the next logon, has an expiring password, and includes an account description. Additionally, it integrates with local account management policies to prevent unauthorized changes, safeguarding all configurations against tampering.
Configuring Automatic Account Management
Navigate to Devices > Windows > Configuration Profiles. Select + Create Profile, and in the platform dropdown, choose Windows 10 and later. Under profile type, select Templates then Custom.
Create the following OMA-URI settings:
| Name | OMA-URI | Data Type | Value |
|---|---|---|---|
| Enable Account Management | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled | Boolean | True |
| Enable Account | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount | Boolean | True |
| Account Prefix | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix | String | “you choose” |
| Randomize Name | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName | Boolean | True |
| Automatic Account | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget | Integer | 1 |
| Backup Directory | ./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory | Integer | 1 |
| Password Age | ./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays | Integer | 14 |
| Password Length | ./Device/Vendor/MSFT/LAPS/Policies/PassphraseLength | Integer | 6 |
| Password Complexity | ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity | Integer | 7 |
| Post Auth Actions | ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions | Integer | 11 |
| Post Auth Reset Delay | ./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay | Integer | 8 |
Settings to use:
- AutomaticAccountManagementEnabled: Enables or disables automatic account management.
- AutomaticAccountManagementEnableAccount: Determines whether the automatically managed account is enabled or disabled.
- AutomaticAccountManagementNameOrPrefix: Specifies the name or prefix of the managed local administrator account.
- AutomaticAccountManagementTarget: configure which account is automatically managed. 0=B builtin admin, 1=New account managed by LAPS will be managed.
- AutomaticAccountManagementRandomizeName: This setting configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
- BackupDirectory: Determines where the managed account’s password is backed up. 1 equals Entra ID.
- PasswordAgeDays: Sets the maximum age, in days, before the managed account’s password is rotated. Regular rotation reduces the risk of unauthorized access.
- PasswordLength: Defines the length of the managed account’s password. Longer passwords are generally more secure.
- PasswordComplexity: Specifies the complexity requirements for the password, such as the inclusion of uppercase letters, numbers, and special characters. Use any of these to make it more simple to use: 6=Passphrase (long words), 7=Passphrase (short words),8=Passphrase (short words with unique prefixes)
- PostAuthenticationActions: Determines actions to be taken after the managed account is used for authentication, such as logging off the account or resetting the password.
- PostAuthenticationResetDelay: Sets the delay, in minutes, before the post-authentication action is executed.
Should look something like this
Deploy the settings to all devices you want to target. And yes, do a test with a pilot group first 🙂
Implementing these settings enables organizations to enforce robust local password policies and ensure that local administrator account credentials are securely managed and regularly updated.
For comprehensive information on LAPS CSP settings, consult the official Microsoft documentation: LAPS CSP.