Since Windows 11 23H2, the Local Administrator Password Solution (LAPS) has been integrated into the OS and 24H2 brought some interesting innovations. These include the automatic management of local admin accounts, the use of passphrases and the generation of a new password when the computer is reset.
LAPS is designed to prevent companies from creating the same admin accounts with the same password on all Windows PCs. If one of these is cracked, the consequences are serious. LAPS offers central management of passwords, which it also updates regularly and stores encrypted in the Active Directory.
Create local accounts automatically
Until now, admins could use group policy to specify the name of the administrator account for which LAPS should manage the password. However, they had to create this account themselves beforehand, either via a script or using group policy. If you don’t do this, LAPS automatically manages the built-in administrator.
With Windows 11 24H2, a new group policy was added that allows you to not only specify an individual account, but also have it created automatically. It is called ” Configure automatic account management ” and, like all LAPS policies, is located under Computer Configuration => Policies => Administrative Templates => System => LAPS .
If you enable it, the built-in administrator account is preselected under Target account . If you change this setting to Manage a custom administrator account , you have several options to choose from.
Automatically create and activate a local account with the prefix MyAdmin and a random suffix
In the simplest case, you just enter the desired name for the account you want to create under Automatic account name (or name prefix) . If you leave this field empty, LAPS will use WLapsAdmin instead .
Add a random suffix to the name
If you check Random managed account name , LAPS will interpret the contents of the Automatic account name field as a prefix and append a random six-digit suffix to it. For example, if you enter MyAdmin , LAPS would turn it into something like MyAdmin342466 .
Since local account names cannot be longer than 20 characters, the prefix should not exceed 14 characters. Otherwise, the excess length will be truncated. The GPO editor allows the entry of 20 characters, even if the Random Name checkbox is checked.
Along with passwords, LAPS also periodically renews the account name suffix if you have selected the random name option.
Activate account
Finally, this policy offers the option to activate the generated account. If you do not check this box, the account will remain deactivated.
In this case, LAPS will still renew the password at the usual intervals, but of course you will not be able to log in with it.
Complexity of passwords
LAPS already offered more extensive options for password policies than Active Directory. You can choose from different combinations of upper and lower case letters, numbers and special characters. In Windows 11 24H2, there is another setting called Uppercase letters + lowercase letters + numbers + special characters (improved readability added) .
It avoids the use of numbers and letters that could be confused with each other. This applies, for example, to 0 and O.
The main innovation here, however, is the support for passphrases. These are a combination of several words. This allows for a longer password, which therefore requires fewer special characters and is easier to remember overall.
In addition to passwords consisting of letters, numbers and special characters, LAPS also allows the use of passphrases.
LAPS provides variants of short and long words, optionally supplemented by a prefix. It takes the words from a list from the Electronic Frontier Foundation, which, as expected, only contains English terms. You can download it from Microsoft’s website to view , but you cannot change the words used.
By default, LAPS uses six words for a passphrase, but this value can be increased to a maximum of 10. The minimum is three words.
In addition to the password length, this policy also allows you to adjust the number of words in a passphrase.
Detection of rollbacks
If you reset computers to an earlier state, either through the corresponding Windows function or to a VM snapshot, it is possible that the password was changed beforehand and the current password is no longer valid after the rollback.
LAPS now has a mechanism to detect such an event. It writes a random GUID to the AD attribute msLAPS-CurrentPasswordVersion and also stores it on the local computer.
If the GUIDs on both sides do not match, it is clear that Windows has been reset to an earlier state. In this case, LAPS automatically generates a new password.
However, to use this feature, you must change the Active Directory schema. This is done using the Update-LapsADSchema cmdlet , which you must run with administrative privileges. An additional activation of rollback detection is then not necessary.
Summary
With Windows 11 24H2, Microsoft is enhancing the central management of local passwords with LAPS with some interesting features.
This primarily involves automatically generating the relevant account, and you can add a random suffix to its name if you wish. This changes with each password update.
To make it easier to read passwords, you can now exclude ambiguous characters from the complexity settings. Alternatively, you can use passphrases, which are significantly longer and therefore more secure, but easier to remember.
Finally, LAPS now prevents the user from entering incorrect passwords after resetting the computer. If it detects such a reset, it automatically generates a new password. However, this requires a change to the AD schema.