https:\/\/techcommunity.microsoft.com\/t5\/windows-it-pro-blog\/by-popular-demand-windows-laps-available-now\/ba-p\/3788747<\/a><\/p>\n\n\n\n As the company behind the popular OVERLAPS for Microsoft LAPS<\/a>, this directly impacts us and our customers. So here\u2019s what you can expect, what we\u2019re doing, and how you can migrate to the new LAPS with the minimum of fuss.<\/p>\n\n\n\n The new version of LAPS is now being delivered via Windows Update to the following Operating Systems:<\/p>\n\n\n\n Older devices can continue to run the \u201clegacy\u201d LAPS client as needed, and OVERLAPS<\/a> will continue to support them.<\/p>\n\n\n\n In addition to this, to enable the new Password Encryption feature, you need to be running at least Domain Functional Level 2016 or later.<\/p>\n\n\n\n You can find Microsoft\u2019s official documentation here:<\/p>\n\n\n\n https:\/\/learn.microsoft.com\/en-gb\/windows-server\/identity\/laps\/laps-overview<\/a><\/p>\n\n\n\n One of the biggest complaints we\u2019ve heard against LAPS in the past is that the managed passwords are stored as plain text in Active Directory. Although this is not an issue if you manage your permissions correctly, it is still a concern.<\/p>\n\n\n\n To tackle this issue, Windows LAPS now supports encrypting the password in AD. It does this using the extended DPAPI-NG (or CNG DPAPI) library which makes use of Public Key Encryption and AES-256 to encrypt passwords so that they can only be decrypted by specific user or group principals.<\/p>\n\n\n\n The encrypted password is stored in the \u201cmsLAPS-EncryptedPassword\u201d attribute as an Octet String. Be warned that if you\u2019re trying to write a script to read this and decrypt it using the DPAPI-NG API yourself that Microsoft prepend a header to the encrypted binary data (this is not documented anywhere that I can find), and any attempts to decrypt it without removing this header will therefore fail. We\u2019ll write up a post in the future about how to properly deal with this.<\/p>\n\n\n\n OVERLAPS<\/a> already has a Password History feature, and has done for quite some time now, but now the official Windows LAPS has a password history as well. The history is stored alongside the current password using similar techniques to the \u201cmsLAPS-EncryptedPassword<\/em>\u201d password attribute.<\/p>\n\n\n\n Note that there is currently no UI to access the password history, it is only available through the Windows LAPS PowerShell module.<\/p>\n\n\n\n This feature is also only available if you enable Password Encryption, there is no history feature for unencrypted passwords.<\/p>\n\n\n\n In addition to Local Administrator Accounts, Windows LAPS now supports backing up the DSRM account password on Windows Server domain controllers.<\/p>\n\n\n\n Windows LAPS has the ability to automatically reset a Local Administrator account password when it is used to login (either locally, remotely, as a service, etc) to a client device. This can be configured to happen after a specified grace period in order to allow the user to perform the tasks that they required the account for.<\/p>\n\n\n\n In addition to this, the policy can be configured to forcefully log the user out after this grace period, or to restart the computer.<\/p>\n\n\n\n Microsoft have added a new tab to ADUC for viewing and expiring LAPS passwords. This is not compatible with the legacy LAPS attributes however, so if you’re running in legacy mode or have a hybrid environment then it may not be of much use.<\/p>\n\n\n\n If you want to get an Active Directory Administrator to break out in cold sweats all you have to do is propose making changes to The Schema<\/strong>. However, anyone familiar with LAPS will have probably done this in the past already, and will know it is actually pretty pain-free. While setting up test environments for both legacy LAPS and the new one, we’ve probably run through this process hundreds of times, and we have yet to break AD. Of course, that isn’t on a live environment, and we all know that’s where things tend to go wrong!<\/p>\n\n\n The new Schema attributes added by Windows LAPS are:<\/p>\n\n\n\n msLAPS-EncryptedDSRMPassword<\/span> msLAPS-EncryptedDSRMPasswordHistory<\/span> msLAPS-EncryptedPassword<\/span> Once decrypted, this has the same JSON format as \u201cmsLAPS-Password\u201d.<\/p>\n\n\n\n msLAPS-EncryptedPasswordHistory<\/span> msLAPS-Password<\/span> Where \u201cn\u201d represents the account name, \u201ct\u201d is the timestamp when the password was updated (in hex format), and \u201cp\u201d is the password.<\/p>\n\n\n\n msLAPS-PasswordExpirationTime<\/span> Microsoft have added a new Administrative Template to Group Policy for managing Windows LAPS. Found under Computer Configuration -> Administrative Templates -> System -> LAPS<\/strong>, there are some familiar settings from the legacy LAPS Group Policy and some new ones. Fortunately, a lot of the settings \u201cdo what they say on the tin\u201d, and Microsoft have done a top-notch job of providing a decent description for each setting as well, but I’ll go over each one further down the page.<\/p>\n\n\n\n One important note though is that if you are planning on running LAPS in \u201clegacy mode\u201d, which is to say using the new client but the old AD attributes (ms-Mcs-AdmPwd<\/em> and ms-Mcs-AdmPwdExpirationTime<\/em>), then you can do so by continuing to use the legacy policies. If you remove the legacy LAPS client, Windows LAPS will then continue using the old attributes, but if you enable the new policies then Windows LAPS will switch to using the new attributes.<\/p>\n\n\n\n Along with the new client, Microsoft have provided a range of new PowerShell cmdlets. Some of them will be familiar to previous LAPS users, but they\u2019ve added a few new ones as well. They have taken the time to document them all at the link below, but I’ll go over the main ones later in this article:<\/p>\n\n\n\n https:\/\/learn.microsoft.com\/en-gb\/windows-server\/identity\/laps\/laps-management-powershell<\/a><\/p>\n\n\n\n Jay Simmons from Microsoft outlined what a migration might look like in the comments of the initial announcement, this is quoted here:<\/p>\n\n\n\n Depending on your IT policies, you may already have the update. When the Windows LAPS client is installed, it behaves differently depending on your setup:<\/p>\n\n\n\n Windows LAPS will lie dormant, and not impact your environment at all until you enable it.<\/p>\n\n\n\n The new LAPS client will detect the legacy one and allow it to continue working as normal. The only thing to watch out for is that there is a bug in the new LAPS where both clients could break if the legacy one is installed after the Windows LAPS update. Microsoft are aware of this and have promised to fix it next month.<\/p>\n\n\n\n If the legacy client is installed you should see Event 10033 in the Windows LAPS event logs:<\/p>\n\n\n\n \u201cThe machine is configured with legacy LAPS policy settings but a legacy LAPS product appears to be installed. The configured account\u2019s password will not be managed by Windows until the legacy product is uninstalled. Alternatively you may consider configuring the newer LAPS policy settings.<\/em>\u201d<\/p>\n\n\n The new Windows LAPS client will take over management of the client using the legacy LAPS policies, and will continue to store passwords in the old attributes (ms-Mcs-AdmPwd<\/em> and ms-Mcs-AdmPwdExpirationTime<\/em>).<\/p>\n\n\n\n The new Windows LAPS client will take over management of the device, storing the password and additional data in the new attributes.<\/p>\n\n\n\n Windows LAPS is activated by enabling the \u201cConfigure password backup directory<\/em>\u201d Group Policy setting and changing the \u201cBackup directory<\/em>\u201d to either Azure Active Directory<\/em> or Active Directory<\/em> depending on whether the device is a member of an Azure domain or a local one respectively.<\/p>\n\n\n\n Updating the schema is done within PowerShell running as a user who is a member of the Schema Admins group. The command is:<\/p>\n\n\n\n You should get a message that the operation was successful, and checking any computer object will now show the additional attributes.<\/p>\n\n\n\n Note that according to Microsoft\u2019s documentation, doing this is a \u201cone-time operation for the entire forest\u201d, so you don\u2019t need to update the schema on each domain in your forest.<\/p>\n\n\n\n As with Legacy LAPS, there are three permissions you need to worry about:<\/p>\n\n\n\n For the latter two, our guidance has always been to grant the permissions to two Security Groups (we always use LAPSReaders <\/em>and LAPSWriters<\/em>, but you can name them whatever you want), because then managing the members and therefore the permissions is a lot easier.<\/p>\n\n\n\n If you\u2019re using OVERLAPS<\/a>, it\u2019s important to remember to add the server\u2019s computer object to these groups to make sure it has permission to read and expire the passwords.<\/p>\n\n\n\n The relevant PowerShell commands for updating permissions are shown below.<\/p>\n\n\n\n Use this PowerShell command with the name of an OU to grant computers their Self permissions. Note that the \u201c<OU Name>\u201d can be just the name of an OU, or the FQDN. If using the short name and a conflict is found (two containers with the same name) the script will warn you and not make any changes to the permissions.<\/p>\n\n\n\n Shows users and groups that have extended rights to the OU. This should only show NT AUTHORITY\\SYSTEM, Domain Admins, and any users or groups you have specifically granted permission to. If it finds any others then they should be removed before enabling LAPS.<\/p>\n\n\n\n Grants Read permissions to the password and password expiration time attributes. This includes the encrypted password attribute, but the user will only be able to decrypt it if they are an authorized decryptor (see below when we discuss Group Policy).<\/p>\n\n\n\n The user or group name can be given by name, SID, or as an array of principals. For more information, see Microsoft\u2019s official documentation.<\/p>\n\n\n\n As above, but this grants permission to set the password expiration time attribute.<\/p>\n\n\n\n This produces a zipped analysis of your LAPS setup, identifying any potential problems or mis-configurations. You can also optionally use \u201c-ResetPassword\u201d to perform a diagnostic across a forced password reset operation, or \u201c-CollectNetworkTrace\u201d which will also collect network tracing information.<\/p>\n\n\n\n Some of the Group Policy settings you\u2019ll recognise from the legacy LAPS settings, and some will be new. Be wary that although some of the settings may be familiar, there may be changes to the wording or the way they work, so it makes sense to take the time to check each setting before enabling the policy.<\/p>\n\n\n As the name states, this enables the DSRM password management and backup. This only applies to Domain Controllers, and only if Password Encryption is enabled. It is disabled by default.<\/p>\n\n\n\n Allows you to specify between 0 and 12 previous passwords to be backed up to Active Directory. Only works if Password Encryption is enabled. This is also disabled by default.<\/p>\n\n\n\n If you have configured the Group Policy to backup passwords to Active Directory (not Azure AD), and your DFL is at Windows Server 2016 or above, then this will instruct clients to encrypt the password when writing it to Active Directory. Encryption is handled by the DPAPI-NG API.<\/p>\n\n\n\n Important Note: <\/strong>Password encryption is enabled by default if Windows LAPS is enabled! As mentioned below, this means that by default only Domain Admins will be able to retrieve the passwords.<\/p>\n\n\n\n Allows you to specify a user or group who will be allowed to decrypt encrypted Local Administrator passwords stored in Active Directory. If this setting is disabled or not configured, it will default to the Domain Admins group.<\/p>\n\n\n\n We recommend setting up a specific security group for this (to limit the use of the Domain Admins group) and remember that if you\u2019re using OVERLAPS<\/a> then adding its server object to the group will allow it to read the encrypted passwords.<\/p>\n\n\n\n Whenever you change this setting, any currently encrypted passwords will still only be accessible by the user(s) in the previous setting until a password reset operation occurs. It seems that the new LAPS client is smart enough to detect changes in the policy and initiate this process itself however, but that won’t happen until a GP update occurs.<\/p>\n\n\n\n If you are using a different administrator account to Local Administrator, you can specify it in this policy setting. Note though that if you have just renamed the Administrator account you shouldn’t specify it here as LAPS will use the well-known SID instead.<\/p>\n\n\n\n This is the main on\\off switch for Windows LAPS. Setting this to Active Directory or Azure Active Directory will enable LAPS managing local administrator passwords on the computers targeted by the GPO.<\/p>\n\n\n\n Enabling this policy prevents users from setting an expiration time beyond what would normally be set to by default. So, for example, if your policy states that the password should be reset every 30 days, then you couldn\u2019t set it to 60 days in the future. (Or rather that\u2019s the principal, in fact if you do set it beyond the limit with this policy enabled, the client will instead immediately reset the password and set the normal expiry date.)<\/p>\n\n\n\n Identical to the legacy LAPS password settings policy. Use this to specify the complexity and length of generated passwords, and the frequency which it should reset.<\/p>\n\n\n\n Allows you to specify an action that will occur after a grace period (in hours). Available actions are: Reset the password, Reset the password and logoff the managed account, and Reset the password and reboot the device.<\/p>\n\n\n\n If this setting is not configured, it will default to reset and logoff after 24 hours.<\/p>\n\n\n\n The Legacy LAPS AD schema changes (ms-Mcs-AdmPwd<\/em> and ms-Mcs-AdmPwdExpirationTime<\/em>) are here to stay if you already added them I\u2019m afraid:<\/p>\n\n\n\n No way to remove those extensions AFAIK – but this is a long-standing AD limitation, not something specific to LAPS.\u00a0\u00a0 AD does offer a “schema defunction” feature (see here<\/a>), but honestly I would not be in any hurry to defunct the AdmPwd\\legacy LAPS attributes.<\/p>\nJay Simmons, Microsoft<\/cite><\/blockquote>\n\n\n\n If you have an older server that you want to manage the Group Policy settings from, you can copy \u201c%windir%\\PolicyDefinitions\\LAPS.admx\u201d file from any new server. You\u2019ll also need to copy the \u201cLAPS.adml\u201d file for your language as well, for example: \u201c%windir%\\Policydefinitions\\en-us\\LAPS.adml\u201d.<\/p>\n\n\n\n You\u2019ll be happy to hear that we\u2019ve already completed work on adding support to OVERLAPS, and an update should be out at about the same time as this article is published.<\/p>\n\n\n\n Passwords are now retrieved on an order of priority, so first it checks if an encrypted password has been set and retrieves and decrypts it if it has, failing that it\u2019ll check for an unencrypted Windows LAPS password, and failing that it\u2019ll finally check for a Legacy LAPS password.<\/p>\n\n\n\n We haven\u2019t yet implemented support for the Password History feature as we already have our own solution for this built into OVERLAPS. However, we have added a work item to add support as we are happy to give our customers the option to use either (or both!).<\/p>\n\n\n\n Unfortunately we’re in the process of transitioning to a new documentation system at the moment which will make it much easier for us to update it in the future, but this has had to be put on hold while we worked on this patch, so it may take some time before our official documentation reflects this information accurately. We apologise for any confusion this may cause, and ask your patience while we carry out this work.<\/p>\n\n\n\n We’ve tried to make the migration for OVERLAPS as painless as possible, however there are a few things you’ll need to do to install the update and enable support for the new Windows LAPS:<\/p>\n\n\n\n Introduction The Windows LAPS Announcement On April 11th 2023, Microsoft announced the release of Windows LAPS, a new and improved version of their Local Administrator Password Solution. The new LAPS is designed to completely supersede the old product and is now delivered by default to compatible devices. You can read the announcement here: https:\/\/techcommunity.microsoft.com\/t5\/windows-it-pro-blog\/by-popular-demand-windows-laps-available-now\/ba-p\/3788747 As…<\/p>\n","protected":false},"author":2,"featured_media":1026,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[47],"tags":[26,48,20,9,8,11],"class_list":["post-1006","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-laps","tag-active-directory","tag-microsoft-laps","tag-overlaps","tag-security","tag-tutorial","tag-update"],"_links":{"self":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/1006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/comments?post=1006"}],"version-history":[{"count":8,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/1006\/revisions"}],"predecessor-version":[{"id":1029,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/1006\/revisions\/1029"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/media\/1026"}],"wp:attachment":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/media?parent=1006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/categories?post=1006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/tags?post=1006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}System Requirements<\/h3>\n\n\n\n
\n
Official Documentation<\/h3>\n\n\n\n
New Features<\/h2>\n\n\n\n
Password Encryption<\/h3>\n\n\n\n
Password History<\/h3>\n\n\n\n
Directory Services Restore Mode (DSRM) Password Backup<\/h3>\n\n\n\n
Automatic Rotation (and other Post Authentication Actions)<\/h3>\n\n\n\n
New LAPS Tab in Active Directory Users and Computers<\/h3>\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2023\/04\/LAPS-tab-not-set.jpg\")
Significant Changes<\/h2>\n\n\n\n
New AD Schema<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2023\/04\/attributes-set-by-windows-laps-inc-legacy.jpg\")
If enabled, and the computer is a Domain Controller, then this will contain the encrypted DSRM password.<\/p>\n\n\n\n
History for the above.<\/p>\n\n\n\n
If encryption is enabled, the encrypted password data will be stored here. Again, watch out for the prepended header information in the encrypted data if you\u2019re trying to decrypt this manually.<\/p>\n\n\n\n
History for the above.<\/p>\n\n\n\n
The unencrypted password if encryption isn\u2019t enabled. This is stored in JSON format as shown in the example below:<\/p>\n\n\n\n{\u201cn\u201d:\u201dAdministrator\u201d,\u201dt\u201d:\u201d1d96ex2d53551ee\u201d,\u201dp\u201d:\u201dpassword\u201d}<\/code><\/pre>\n\n\n\n
This is the date and time that the password is set to expire. It is stored as a 64bit integer in Windows File Time format using UTC as the time zone, the same as legacy LAPS did.<\/p>\n\n\n\nNew Group Policy Settings<\/h3>\n\n\n\n
New PowerShell Commands<\/h3>\n\n\n\n
Microsoft\u2019s Unofficial Guide to Migration<\/h2>\n\n\n\n
\n
Questions and Answers<\/h2>\n\n\n\n
What happens when the update is installed?<\/h3>\n\n\n\n
I have never installed LAPS.<\/h4>\n\n\n\n
I have legacy LAPS clients installed.<\/h4>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2023\/04\/event-10033-LegacyLAPS-1.jpg\")
I have uninstalled the Legacy LAPS client, have left the its policies in place, and haven\u2019t enabled the new LAPS policies.<\/h4>\n\n\n\n
I have never installed LAPS, or I have uninstalled the LAPS client. Now I have enabled the new LAPS policies.<\/h4>\n\n\n\n
How do I activate Windows LAPS?<\/h3>\n\n\n\n
How do I update the AD Schema?<\/h3>\n\n\n\n
Update-LapsADSchema<\/code><\/pre>\n\n\n\nHow do I Configure the AD Permissions?<\/h3>\n\n\n\n
\n
Set-LapsADComputerSelfPermission -Identity <OU Name><\/code><\/pre>\n\n\n\nFind-LapsADExtendedRights -Identity <OU Name><\/code><\/pre>\n\n\n![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2023\/04\/ps-find-lapsadextendedrights.jpg\")
Set-LapsADReadPasswordPermission -Identity <OU Name> -AllowedPrincipals <User\\Group Name><\/code><\/pre>\n\n\n\nSet-LapsADResetPasswordPermission -Identity <OU Name> -AllowedPrincipals <User\\Group Name><\/code><\/pre>\n\n\n\nGet-LapsDiagnostics \u2013OutputFolder <folder><\/code><\/pre>\n\n\n\nHow do I configure Group Policy?<\/h3>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2023\/04\/gpo-list-laps.jpg\")
Enable password backup for DSRM accounts<\/h4>\n\n\n\n
Configure size of encrypted password history<\/h4>\n\n\n\n
Enable password encryption<\/h4>\n\n\n\n
Configure authorized password decryptors<\/h4>\n\n\n\n
Name of administrator account to manage<\/h4>\n\n\n\n
Configure password backup directory<\/h4>\n\n\n\n
Do not allow password expiration time longer than required by policy<\/h4>\n\n\n\n
Password Settings<\/h4>\n\n\n\n
Post-authentication actions<\/h4>\n\n\n\n
How do I remove the Legacy LAPS Schema Changes?<\/h3>\n\n\n\n
\n
How do I manage the Group Policy settings from a version of Windows Server older than 2019<\/h3>\n\n\n\n
OVERLAPS Support for Windows LAPS<\/h2>\n\n\n\n
![\"\"](\"https:\/\/int64software.com\/blog\/wp-content\/uploads\/2023\/04\/small-header.png\")
<\/figure>\n\n\n\nSteps to take when installing the update<\/h3>\n\n\n\n
\n