Azure AD LAPs Group Policy Settings for Windows 11 | Intune Policy for LAPs

Let’s check the details of Azure AD LAPs Group Policy Settings for Windows 11 devices. Microsoft released the latest group policy settings as part of the Windows 11 insider build (25145). The latest information on Intune and Azure AD policy configurations for Windows LAPS is explained in the following post. More details Windows LAPS Configurations From Azure AD and Intune.

Intune Policy for LAPs is also available now with Intune Settings policies. Azure AD joined devices and LAPs group policy settings are a bit strange. How is it possible to deploy GPO to AADJ devices? Local GPOs?

One particular LAPs setting is very interesting: to configure which directory (Azure AD or Active Directory) the local admin account password is backed up to. I’m wondering how the LAPs client will back up the local admin password to Azure AD.

Another interesting Azure AD LAPs setting is a minimum password age in days; this will be 7 days if the pass backup configuration is set to AAD. Also, the rotation of the local admin passwords will be interesting in terms of Azure AD LAPs.

Patch My PC

The “Local Administrator Password Solution” (LAPS) solution helps admins to manage local admin account passwords of Domain joined devices. Microsoft announced with a Windows 11 Insider build 25145 that a limited number of insiders would be able to test LAPs solution on Azure AD joined devices.

Traditionally, the LAPs solution can store passwords in Active Directory (AD) and is protected by ACL, so only eligible users can read it or request its reset. This feature is coming to Azure AD as well as per the latest news.

Microsoft has not shared many details on the Azure AD LAPs scenario in the insider build release notes. But they clearly started testing this for some of the AAD joined Windows 11 insider build devices. I hope there will be a private version of the LAPs client for the Azure AD join scenario that is not released publicly.

Read More on Microsoft LAPs Architecture and Design (Domain Joined PCs) -> LAPS For Windows 10 Privileged Access Management.

Adaptiva

LAPs for Domain Joined Windows 11 Devices

There are many prerequisites, and AD schema upgrades needed for LAPs implementation of Domain Joined Windows 11 devices. Two main things need to be sorted out from the client-side for LAPs:

  • LAPs client -> New Client version released on 3/4/2022.
  • Group Policy Settings -> Computer Configuration > Administrative Templates > System > LAPS

I see that Microsoft updated the LAPs client (v6.2) on 3/4/2022. This could mean this is the latest that you need to use for testing with Windows 11 insider build and new group policy settings.

Azure AD LAPs Group Policy Settings for Windows 11 1
Azure AD LAPs Group Policy Settings for Windows 11 1

Intune Policy for LAPs – Settings Catalog

You can now configure Intune Settings Catalog Policy for LAPs configuration. You can follow the steps to complete the creation process of Intune Policy for LAPs.

  • Sign in to the Endpoint Manager Intune portal https://endpoint.microsoft.com/
  • Select Devices > Windows > Configuration profiles > Create profile

In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.

Azure AD LAPs using Intune Settings Catalog for Windows 11 2
Azure AD LAPs using Intune Settings Catalog for Windows 11 2

On the Basics tab, enter the NAME descriptive Azure AD Joined LAPs. Optionally, enter a Description for the policy, then select Next.

In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.

Azure AD LAPs using Intune Settings Catalog for Windows 11 3
Azure AD LAPs using Intune Settings Catalog for Windows 11 3

On the Settings Picker windows, use the search box and type LAPs, and click Search. Select the Administrative Templates\LAPs category and double-click on the category to see the settings name.

  • Do not allow password expiration time longer than required by policy
  • Enable local admin password management
  • Name of administrator account to manage
  • Administrator account name (Device)
  • Password Settings
  • Password Age (Days) (Device)
  • Password Complexity (Device)
  • Password Length (Device)
Azure AD LAPs using Intune Settings Catalog for Windows 11 1
Azure AD LAPs using Intune Settings Catalog for Windows 11 1

A lot of configuration options are available similar to Group Policies in Intune. Once you have configured as per the requirement and click on the Next button.

  • Password Settings
  • Password Age (Days) (Device) – 30
  • Password Length (Device) – 14
  • Name of administrator account to manage -Enabled
  • Administrator account name (Device)
  • Enable local admin password management -Enabled
  • Do not allow password expiration time longer than required by policy – Enabled
Azure AD LAPs using Intune Settings Catalog for Windows 11 5
Azure AD LAPs using Intune Settings Catalog for Windows 11 5

Read More to complete the deployment of Intune Settings policies for LAPs – Turn On Cloud Protection For Windows 11 Microsoft Defender Using Intune.

New Group Policy Settings for LAPs

Microsoft released a new group policy settings for LAPs implementation Domain Joined, and Azure AD joined devices. I think the latest client will also support Azure AD joined devices (to be confirmed). I hope Microsoft will release a LAPs client into the Windows Package Manage.

There is a big difference between the Group Policy settings available in the old LAPs and the new one released with Windows 11 (insider build). At the time of writing this post, there are 9 GPO settings available for LAPs. The list of new LAPs group policy settings is given below.

  1. Enable password backup for DSRM accounts
  2. Configure size of encrypted password history
  3. Enable password encryption
  4. Configure authorized password decryptors
  5. Name of administrator account to manage
  6. Configure password backup directory
  7. Do not allow password expiration time longer than required
  8. Password settings
  9. Post-authentication actions

To get the new Windows 11 LAPs policies on Windows 10 devices, you need to install Windows 11 ADMX. These policies won’t be available in the production Windows 11 ADMX (this is only available for the Windows insider PCs).

Azure AD LAPs Group Policy Settings for Windows 11 2
Azure AD LAPs Group Policy Settings for Windows 11 2

LAPs GPO Setting – Enable password backup for DSRM accounts

Let’s check LAPs GPO Setting to Enable password backup for DSRM accounts. When you enable this setting, the DSRM administrator account password will be managed and backed up to Active Directory. Enabling this setting has no effect unless the managed device is a domain controller and password encryption is enabled.

  • If this setting is enabled, the password for the DSRM administrator account on the domain controller will be backed up to Active Directory.
  • If this setting is disabled or not configured, the password for the DSRM administrator account on the domain controller will not be backed up to Active Directory.
Azure AD LAPs Group Policy Settings for Windows 11 3
Azure AD LAPs Group Policy Settings for Windows 11 3

Configure Size of Encrypted Password History

Let’s now configure the size of the encrypted password history using the new GPO settings available with Windows 11 ADMX. You can use this setting to configure how many previously encrypted passwords will be stored in Active Directory.

The LAPs size of encrypted password history setting has a minimum allowed value of 0 passwords, and the maximum allowed encrypted password history is 12 passwords.

NOTE! – Configuring this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) password encryption has been enabled.

  • If this setting is enabled, the specified number of older passwords will be stored in Active Directory.
  • If this setting is disabled or not configured, zero older passwords will be stored in Active Directory.
Azure AD LAPs Group Policy Settings for Windows 11 5
Azure AD LAPs Group Policy Settings for Windows 11 5

Enable Password Encryption Policy Settings

Let’s check the Enable Password Encryption Policy Settings for LAPs. When you enable this LAPs setting, the managed password is encrypted before being sent to Active Directory.

NOTE! – Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.

  • If this LAPs setting is enabled, and the domain functional level is at or above Windows Server 2016, the managed account password is encrypted.
  • If Enable Password Encryption Policy Settings LAPs setting is enabled, and the domain functional level is less than Windows Server 2016, the managed account password is not backed up to the directory.
  • If this setting is disabled or not configured, the managed account password is not encrypted.
Azure AD LAPs Group Policy Settings for Windows 11 6
Azure AD LAPs Group Policy Settings for Windows 11 6

Configure Authorized Password Decryptors Settings for LAPs

Let’s check the details of the LAPs settings called Configure Authorized Password Decryptors. This LAPs setting is to control the specific user or group who is authorized to decrypt encrypted passwords.

This LAPs Password Decryptors setting must be configured with either a SID in string format (“S-1-5-21-2127521184-1604012920-1887927527-35197”) or the name of a group or user in “domain(group or user)” format. The specified user or group must be resolvable by the managed device, otherwise, passwords will not be backed up.

NOTE! – Obviously -> Configuring this setting has no effect unless password encryption has been enabled.

  • If this setting is enabled, encrypted passwords will be decryptable by the specified group.
  • If this setting is disabled or not configured, encrypted passwords can be decryptable only by the Domain Admins group.
Azure AD LAPs Group Policy Settings for Windows 11 7
Azure AD LAPs Group Policy Settings for Windows 11 7

Name of Administrator Account to Manage GPO Settings

Name of Administrator Account to Manage LAPs GPO Settings. This LAPs policy setting specifies a custom Administrator account name to manage the password for.

NOTE!DO NOT enable this policy setting to manage the built-in administrator account. The built-in administrator account is auto-detected by a well-known SID and does not depend on the account name.

  • If this policy setting is enabled, LAPS will manage the password for a local account with this name.
  • If this policy setting is disabled or not configured, LAPS will manage the password for the well-known Administrator account.
Azure AD LAPs Group Policy Settings for Windows 11 8
Azure AD LAPs Group Policy Settings for Windows 11 8

Configure Password Backup Directory to Azure AD or Active Directory

Let’s check how to Configure Password Backup Directory to Azure AD or Active Directory. Use this LAPs setting to configure which directory (Azure AD or Active Directory) the local admin account password is backed up to.

If you don’t specify anything in this setting will default to 0 (Disabled). The allowable settings to configure Password Backup Directory are:

  • 0=Disabled (password will not be backed up)
  • 1=Backup the password to Azure Active Directory
  • 2=Backup the password to Active Directory
  • If this setting is configured to 1, and the managed device is not joined to Azure Active Directory, the local administrator password will not be managed.
  • If this setting is configured to 2, and the managed device is not joined to Active Directory, the local administrator password will not be managed.
  • If this setting is disabled or not configured, the local administrator password is not managed.
Azure AD LAPs Group Policy Settings for Windows 11 9
Azure AD LAPs Group Policy Settings for Windows 11 9

Do not allow password expiration time longer than required

Let’s check on Do not allow password expiration time longer than required GPO settings. If this setting is enabled or not configured, planned password expiration longer than the password age dictated by the “Password Settings” policy is NOT allowed.

When such expiration is detected, the password is changed immediately, and password expiration is set according to policy. If this setting is disabled, password expiration time may be longer than required by the “Password Settings” policy.

Azure AD LAPs Group Policy Settings for Windows 11 10
Azure AD LAPs Group Policy Settings for Windows 11 10

LAPs GPO for Password Policy settings

Let’s check LAPs GPO for Password policy settings. These settings are there to configure the local admin password policy. How complex should the local admin password be?

Configures Local Admin password parameters such as Password complexity, Password Length, and Password age in days.

  • Password complexity: which characters are used when generating a new password
    • Default: Large letters + small letters + numbers + special characters
  • Password length
    • Minimum: 8 characters
    • Maximum: 64 characters
    • Default: 14 characters
  • Password age in days
    • Minimum: 1 day (7 days when the backup directory is configured to be Azure AD)
    • Maximum: 365 days
    • Default: 30 days
Azure AD LAPs Group Policy Settings for Windows 11 11
Azure AD LAPs Group Policy Settings for Windows 11 11

Post-authentication Actions

Let’s check the Post-authentication actions and grace period (hours) settings available for admins in the new LAPs GPO settings. This policy configures post-authentication actions, which will be executed after detecting an authentication by the managed account.

Note: the DSRM account on domain controllers cannot be configured for post-authentication actions. This policy does not affect domain controllers and will be ignored even if configured for a DC.

Check the Grace period option: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. Following are the details of grace period configurations.

  • If this setting is enabled and greater than zero, the specified post-authentication actions will be executed upon the expiry of the grace period.
  • If this setting is disabled or not configured, the specified post-authentication actions will be executed after a default 24-hour grace period.
  • If this setting is equal to zero, no post-authentication actions will be executed.

Actions: specifies the actions to take upon expiry of the grace period. This is after detecting an authentication by the managed account and grace period.

(NOTE: After any interactive logon sessions are terminated, there may still be other authenticated sessions in use by the managed account. The only robust way to ensure that the previous password is longer in use is to reboot the device.)

  • Reset password: upon expiry of the grace period, the managed account password will be reset.
  • Reset the password and log off the managed account: upon expiry of the grace period, the managed account password will be reset, and any interactive logon sessions using the managed account will be terminated.
  • Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset, and the managed device will be immediately rebooted.

If this setting is disabled or not configured, post-authentication actions will default to “Reset the password and log off the managed account.”

Azure AD LAPs Group Policy Settings for Windows 11 12
Azure AD LAPs Group Policy Settings for Windows 11 12

Registry Entries for LAPs GPO Settings

Let’s check the Registry Entries for LAPs GPO Settings. The registry details of LAPs configuration are going to help in a troubleshooting scenario. Try to find out the results of the configurations that you applied as per the above sections from the LAPs registry entries.

  • The Registry Path for LAPs GPO settings ->
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\LAPS
    • Computer\HKEY_USERS\S-1-5-21-202201247-3238398725-1201954138-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{F67C670D-F05D-471F-BE95-C9ABC981D5A9}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS]
"ADBackupDSRMPassword"=dword:00000001
"ADEncryptedPasswordHistorySize"=dword:0000000c
"ADPasswordEncryptionEnabled"=dword:00000001
"ADPasswordEncryptionPrincipal"="S-1-5-21-2127521184-1604012920-1887927527-35197"
"AdministratorAccountName"="HTMDAdmin"
"BackupDirectory"=dword:00000001
"PwdExpirationProtectionEnabled"=dword:00000001
"PasswordComplexity"=dword:00000004
"PasswordLength"=dword:0000000e
"PasswordAgeDays"=dword:0000001e
"PostAuthenticationResetDelay"=dword:00000018
"PostAuthenticationActions"=dword:00000005
Azure AD LAPs Group Policy Settings for Windows 11 13
Azure AD LAPs Group Policy Settings for Windows 11 13

Window CSP Policies for LAPs Configurations

Let’s check whether there are any Window CSP Policies for LAPs Configurations. I have not found any details on Window CSP policies for LAPs documentation. This would be really interesting interms of deploying LAPs policies to Azure AD joined devices.

You can deploy the domain-level group policies to Azure AD joined devices. But I know many of us to use local group policies with Intune to fill some gaps with Windows CSP policies. We can use local GPOs to deploy LAPs policies if that is required for testing.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of IT experience (calculation done in 2021). He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

5 thoughts on “Azure AD LAPs Group Policy Settings for Windows 11 | Intune Policy for LAPs”

  1. Hello Anoop C Nair,

    I am currently using Intune to manage our devices. All our devices are either AAD joined or Hybrid AAD joined. If I want to use Intune to deploy the LAPS policy to our devices, do I still need to install LAPS on a domain controller, extend Schema and configure group policy in the Active Directory? I have created a test LAPS policy in Intune and successfully deploy it to my own computer. I don’t know how to verify if it worked or where to see if the local admin password has been changed or where is it saved. Your help would be greatly appreciated.

    Thanks
    Kit

    Reply
  2. Hi,

    Thank you for your response. Do you know if the AAD LAPS will be coming soon or not? I would like to wait for it if it is coming soon. Will you be writing up instruction for it when it is available? You did a wonderful job with this post.

    Thanks
    Kit

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.