If you are an IT professional, you probably already know the Local Administrator Password Solution (LAPS) to manage the local administrator account password.
Well, good news as with the April 2023 updates, LAPS is now directly integrated with Windows; no more need to deploy the local LAPS agent.
It is now integrated with:
- Windows 1x Pro, Edu or Enterprise
- Windows Server 2019 and 2022 (including the Core edition)
The ‘previous’ LAPS (available for download) is now going to be known as Legacy LAPS.
What about devices Azure AD Joined? Well, the LAPS for Azure AD Joined devices is still in private preview but will switch to public preview later this quarter.
Personally, I recommend using the Azure AD Joined Device Local Administrator role to grant local administrator permissions and have the local administrator account disabled for Windows 1x devices. It works perfectly fine with Hybrid Joined devices too.
You can start using the new LAPS with PowerShell; you can get all LAPS commands using the command
Get-Command -Module laps
With this integration, you also get the LAPS admx file to manage LAPS with group policies
For devices managed with Intune, you can use the ./Device/Vendor/MSFT/LAPS CSP (see https://learn.microsoft.com/en-us/windows/client-management/mdm/laps-csp/)