Overview
Windows LAPS (Local Administrator Password Solution) is a cloud-based solution that helps organizations manage the passwords of local administrator accounts on Windows devices that are enrolled in Microsoft Intune. Windows LAPS stores the passwords of local administrator accounts in Microsoft Entra ID, and it provides administrators with a secure way to view, reset, and rotate these passwords.
If your organization is using Devicie's own propriety LAPS for your Windows devices, it's time to make the move to the Windows LAPS.
What is Devicie LAPS?
Devicie LAPS is a third-party solution that provides similar functionality to Microsoft LAPS. However, Devicie LAPS is not a Microsoft product, and it is not integrated with Microsoft Intune.
Why should I move to Windows LAPS?
There are several reasons why you should move to Windows LAPS from Devicie LAPS:
- Windows LAPS is integrated with Microsoft Intune, which makes it easier to manage.
- Windows LAPS is a cloud-based solution, which means that you do not need to install any software on your devices.
- Windows LAPS is more secure than Devicie LAPS, as it stores passwords in Entra ID, which is a more secure environment.
Requirements
To use Windows LAPS, you need the following:
- A Microsoft Intune subscription.
- Windows 10/11 with April 11, 2023 update or later.
- Microsoft Entra Premium P1 or P2 licenses.
- Enable Windows LAPS in Entra ID Use Windows Local Administrator Password Solution (LAPS) with Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
Benefits
Windows LAPS provides the following benefits:
- Centralized management of local administrator passwords.
- Improved security of Windows devices.
- Easy to use and deploy.
Things to be aware of
When using Windows LAPS, there are a few things to be aware of:
- Devicie deploys Windows LAPS using a custom configuration profile with 9 settings.
- Two of the settings will show as "error" in the configuration profile status, this is expected as the configuration profile only has access to set the setting, but is unable to read them so it's unable to accurately report on them.
- Windows LAPS does not store the actual passwords of local administrator accounts in Entra ID. Instead, it stores a secure hash of these passwords.
- Windows LAPS is not a replacement for strong security practices. You should still use strong passwords for local administrator accounts and other accounts on your Windows devices.
- Windows LAPS is not a silver bullet. It is a tool that can help you to improve the security of your Windows devices, but it is not a guarantee that your devices will be secure.
If you are looking for a way to improve the security of your organization's Windows devices, then Windows LAPS is a great option. It is easy to use, deploy, and manage, and it can help you to centralize the management of local administrator passwords.
Moving from Devicie LAPS to Windows LAPS
If you are currently using Devicie LAPS, we will gradually move you to Windows LAPS. To do that, you need to make sure that your Windows devices are running April 11, 2023 Update or later.
We also need you to have the following details ready so we can create Windows LAPS accordingly:
- PasswordAgeDays - This setting specifies the maximum number of days that a local administrator password can be used before it must be changed. The default value is 365 days.
- PasswordLength - This setting specifies the minimum length of a local administrator password. The default value is 14 characters.
- AdministratorAccountName - This setting specifies the name of the local administrator account. The default value is "Administrator".
- PostAuthenticationResetDelay - This setting specifies the number of minutes that must elapse before a user can attempt to authenticate again after their password has been reset. The default value is 15 minutes.
- PostAuthenticationActions - This setting specifies the actions that will be performed after a user authenticates with a valid local administrator password. The default action is to write a success event to the security log.
Once Windows LAPS is in place, we will remove the assignment for the Devicie LAPS application on your tenant and Windows LAPS will take over the process.
Please note that this only affects Windows devices. Devicie LAPS will continue to be used for macOS devices.