New LAPS for Windows 11 24H2

 



Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.

 

As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.

 

Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and configure it together, and also discuss the settings:



You need to create a policy which I am not going to go into details in this because most of you are using LAPS v1 Endpoint Security > Account Protection> Create Policy>

Platform: Windows

Profile: Local admin password solution (Windows LAPS)

Then, name the policy, and let us move to the settings



 Backup Directory: You can choose between Disable or Enable. If you enable it, you can choose either AAD or AD.

 

Password Age Days: Determine how many days the age of LAPS should be set before it changes; you can choose a value between 7 and 365. If you do not configure this value, the default will be 30 days.

 

Administrator Account Name: This setting can be tricky, I think Microsoft needs to add a better explanation

 

If you still have the “Administrator” account active and not disabled, or if you've changed it to another name, you can add the custom name here so LAPS can target it. Even if you don't, LAPS can find the Admin account based on SID.

 

NOTE:- This setting is not going to create a custom Admin name for you or a replace the Admin name, if you want that leave this setting on “Not configure” then we do it later.




Password Complexity: You have 9 options for this setting. Use this setting to configure the password complexity of the managed local administrator account. The allowable settings are:

 1=Large letters

2=Large letters + small letters

3=Large letters + small letters + numbers

4=Large letters + small letters + numbers + special characters (default)

5=Large letters + small letters + numbers + special characters (improved readability)

6=Passphrase (long words)

7=Passphrase (short words)

8=Passphrase (short words with unique prefixes)

9=Notconfigure

If not specified, this setting will default to 4.

 

 

Passphrase Length: You can select between 3 and 10 phrases; the default is 6 phrases. I chose 9. If you count the phrases below, you will see there are 9 words that start with an uppercase. No worries, this is an old LAPS and has been changed 😊



Password Length: This is for LAPS, which runs between 8 -64 characters; the default is 14 characters.

 

Post Authentication Actions: This security setting is really a great security setting. Once the LAPS expires, you can specify the actions to take upon the expiration of the configured grace period. If not specified, this setting will default to 3 (Reset the password and log off the managed account). I configure the most restricted one, which resets the password, terminates any process, and logs off any session.




Post Authentication Reset Delay: Choose between 0 and 24 hours to delay the post-authentication action you selected above. Note that 0 = Disabled.

 

Automatic Account Management Enabled: Here you can choose if you want to manage the target account or not.

Automatic Account Management Enable Account: Choose if you want the target account to be automatically enabled or disabled.

Automatic Account Management Randomize Name: Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated. If this setting is enabled, the name of the target account will use a random numeric suffix. If this setting is disabled, the name of the target account will not use a random numeric suffix. In my case, I use a random numeric suffix every time I rotate the LAPS, which will change the suffix after the name as well.

For example, my test LAPS’s name is “LAPSTEST2” + suffix, after I rotated LAPS the target account has changed the suffix as well.

 

Automatic Account Management Name Or Prefix: Finally, here you can choose your account name.

 

Before we check the logs, you need to target a group of devices and do.

 

Registry Key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies

 

If you are using a new device, you have not configured LAPS before, you cannot see LAPS because it does not exist, like the screenshot below.





Once you deploy it and the policy is applied, you will get this RegKey




In the screenshot above you can see cleary all the settings we configured it in Intune, we can see same thing here in Registry Key.

Logs:  let us check the Event viewer logs for LAPS which can be found under Applications and Services Logs> Microsoft> Windows> LAPS> Operational


 LAPS account has been created in the screenshot below




Event ID 10010 shows LAPS has been backed up to Entra ID “previously known as AAD”

 

 


 

Let me also share some important LAPS Event IDs:-

1000 

 

1002



1003



1004

               


10020



10029



Other LAPS Event IDs I don’t have them on my test device but really important to have them like:-

 

A failed cycle is tracked with a 10005 event



When the policy is configured to back up the password to Windows Server Active Directory, a 10021 event is logged.



For more information, review Microsoft Docs.

 

 

Thanks for reading, and I hope this may help you configure the New LAPS for Windows 11 24H2.

Comments

Post a Comment

Popular posts from this blog

Windows Autopatch Hotpatch

Image
Windows Autopatch Hotpatch I am sure all of you guys are about to get busy for Thanksgiving! this is a short blog about Hotpatch. This morning, while I was checking for updates regarding my tenants and looking for the new hardware inventory setting, I was pleased to see that the new setting “ Hotpatch for Windows ” had appeared in my tenant. Before we discuss it, let’s first go over the details. We are all familiar with quality updates and the security patches released on the second Tuesday of each month. Microsoft has created a hotpatch for Windows 11 24H2 that allows these updates to be applied without requiring a restart. Typically, after monthly updates, the device must restart to install all security patches and to update the build number (the last four digits of Windows). According to Microsoft, there will be two types of updates each quarter. The first update will occur in January, April, July, and October and will include a full security patch and new features, requiring the de...
Read more

How to block TikTok or other social media

Image
Have you considered blocking social media platforms like Facebook, TikTok, and others on corporate devices?   Many government entities in our community want to restrict access to social media on their official devices rather than personally owned devices (BYOD). There are several reasons for this. For example, in the USA, TikTok was blocked and unblocked.   There are many ways to do this, such as Firewall, Network, Microsoft Defender, and so on. However, I will discuss how to do it via Intune. Create a Policy:         Create a New Policy: Name it as you want and add the description.     Configuration settings > add settings > and search for “URL blocking” and pick both Google Chrome and Microsoft Edge. And pick the one for the device, not the user, did not work for me. Then add the URL you want to block to “ Block access to a list of URLs (Device)”. I went a little further by disallowing the users to run the TikTok application “...
Read more