Great overview! Only thing missing is what to do for those of us who are already using the Legacy LAPS option and how to migrate without causing issues.
a very good description, well done, I have a question, how can I delegate the reading of passwords to a group that deals with technical support for PCs in AD ?
YES YOU CAN! There are already 3 built in roles that can read the LAPS Passwords. Cloud Device Admin, Global Admin, Intune Admin. Or you can create a custom role and assign the microsoft.directory/deviceLocalCredentials/password/read permissions to that group Search for microsoft.directory/deviceLocalCredentials/password/read in this doc for those details 👉learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
So you are doing AD managed Windows LAPS or legacy LAPS? On the AD side the domain admins can view the passwords by default learn.microsoft.com/en-us/powershell/module/laps/set-lapsadreadpasswordpermission?view=windowsserver2022-ps learn.microsoft.com/en-us/powershell/module/laps/find-lapsadextendedrights?view=windowsserver2022-ps
Hi and thanks for the guide. I have one followup question regarding LAPS. Is it good practice to login with your domain account (as standard user) to a machine and then use runas as the local administrator account with LAPS when you need to use local admin? Or do you need to login with the Local administrator account for this to be best practice? Thanks
Great Video, has explained a couple of things I didn't understand. One issue I have is that we're not fully transitioned to Azure AD Joined devices managed by Intune yet. We have AD-DS Hybrid Devices using LAPS via a Group Policy setup but we also have AAD Joined devices managed by Intune. If I turn on LAPS in Azure AD then how will this affect my hybrid devices managed by both Group Policy and Intune. I've read somewhere that the Hybrid devices managed by Intune will use Azure AD Laps and ignore any group policy configuration they may receive. Is that correct?
If you are using a non Azure AD version of LAPS nothing changes. If you enable azure ad LAPS the question is enable for which scenario? Intune could use the new LAPS while hybrid uses older laps
Nice video thanks! Do we need to use Intune at all? We have Entra ID managed ADDS - can we just deploy a GPO with the LAPS settings and have the passwords stored in Entra ID? Would we even need to turn on LAPS in Entra if we did it this way?
As I mentioned in the video you can totally do this updated version of LAPS with Active Directory and GPOs, then choose to store the passwords in AD or Entra ID
As usual great video Dean ! One question : i tried to activate on pooled AVD VMs, joined to Azure AD. I did all configuration (Azure AD + Intune) but I do not see the "local admin password" menu. Should I have to wait ?
Intune doesn’t ever do anything fast. On 1 of my computers it was available right away but on others I had to wait up to 15 minutes to see the password
@@AzureAcademy haha you are right :) But even the "local admin password" menu is still not available even few hours after. Only Azure AD LAPS activation and Password Protection profile is needed, right ? Or AVD VMs (22h2) only joined to Azure AD does not support that feature ?
LAPS is a windows VM feature so it works on all modern windows VMs, even AVD VMs. Check Azure AD (Entra ID) devices see if the password is there. Like I said Intune doesn’t do anything fast
We now don't use Intune or Azure features to manage our on-prem devices, is there any "legacy" videos you've made? I would like to start with the local LAPS first without destroying anything in prod now.
There is a legacy / AD GPO way to implement LAPS and manage from Active Directory that has been available for many years This is the docs link and has multiple videos embedded in it to help you learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
How much One needs will depend on what that Simple cloud network for a small biz will be doing. I would watch one of my original videos on Azure Networking to get started th-cam.com/video/uGePuL5wPX0/w-d-xo.html After that the more you can tell me of what you will be doing the more I can help 😉
Hi I got a couple of questions We are currently testing windows laps When I turn it on and create a policy does windows laps passwords start automatically working on all our devices? We want to test this first for a few weeks and tweak it just on a limited number of devices? I did not see you assigned this to a group or anything Also we use both azure and and hybrid joined AD devices as we slowly transition all devices off class AD Is it possible to use Windows laps on both? Simultaneously?
As long as you have the right version of windows, the LAPS agent is installed, then you just need to apply your policies. Can you use both simultaneously? Yes and No. 🤔 YES you can have both running in your company. NO any single device can only have one of the LAPS policies at a time.
I have a customer site, they have LAPS enabled. I was asked to configure Azure SMB file shares + private endpoint and via site-to-site connectivity. also enable local AD authentication. work is done, question is as you know during the local AD bind with azure file share, it creates an active directory object (computer account) in the local AD. so if I right click that I can see the LAPS tab. so as you say is there any password expiration happening and will it break the azure authentication link?
Laps is configurable to change the password when you want. I would put this computer object in to its own OU and do not allow LAPS to reset the password at all, so you don’t interfere with the Azure share
I have a question, if you have a on-prem environment and the user takes their own laptop to work from home, obviously they don't have connection to the DC, Can I still use the local password? What would happen if the expire date arrive? I really love your video, thank you.
Yes you can use the local password, but what I think you are REALLY asking is if the password will still get rotated…the answer is MAYBE 🤣 If the laptop at home is online then it can communicate with Azure AD and possibly AD depending on how AD is set up and/or if you have a VPN but if you are using Azure AD and the Device can talk to Azure AD it will Make sense?
Thanks for the great video. LAPS was (IMHO) always clunky and tricky to setup. Your method - and the improvements made - look like a good walk way to get things straightened out. Thx!
LAPS in general will be ok because it is based of the domain / forest function level However…your 2012 server is no longer supported and any LAPS client interacting with the 2012 server will have a diminished or non existent experience. I suggestThe 2012 server should be deprecated and replaced with a newer version so you can remain fully supported
Yes it would…but it depends on the type of ransomware. LAPS sets each computer with a different local admin password. So the bad guys can’t do lateral traversal attacks.
2012 will not, 2019 will learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status And you should watch my video on server 2012 / domain controller upgrades th-cam.com/video/GHm5ah7Wulo/w-d-xo.htmlsi=DaiM_-aS5JME0s5y
Hi I would like to ask if there is a way to prove LAPS changed its password, like an event log on both the host machine and in the AAD that will show its correlated or linked?
First off when you look at the users local admin password, the portal does show the date/time the password was updated, then it is also in the audit logs which I showed at 7:40 in the video
What if the local admin in pc is disabled will it still work. Or need to enable it manually? what if during the time of setup windows created new local admin how to assign it. And how to prevent local admin acct from auto removed in admin groups joint to domain.
The local admin is disabled…in Azure the user named ADMINISTRATORS IS ALWAYS disabled. However every vm you build has a local admin that you setup Why would you want that account disabled You should ALWAYS have a local admin account so you can get in if the domain relationship or the cloud join is broken
How does Windows LAPs handle disabling trying to use a new custom local admin account? Can you just create a new local admin account with a new name and then give it the name in the Windows LAPs policy? You don’t need an Azure AD account correct? You just need to create a new local admin account and push it to the PCs and then give it the name in the Windows LAPs policy to tag it and manage it correct?
1. Yes you can create a new local admin account and keep it out of LAPS control or have LAPS protect it 2. No, Azure AD account is not required, LAPS is a windows / Local Admin thing 3. Yup, that’s how ya do it!
Remember LAPS secured the local admin password, not the users passwords. The powershell module does read from the Microsoft graph API or you can use Active Directory or Intune to see the password
@@AzureAcademy sorry, I thought when standard user who is not local admin on the machine need to install something, in that case standard user would retrieve his local administrator password from Azure AD somehow? We have that in our on-prem environment, each standard user can get his local administrator password from AD(.exe app which uses powershell cmdlet in the background. Also we have ACL configured on each computer object so only owner of computer object can see local admin password for that computer).
"Retrieving Windows LAPS passwords stored in Azure Active Directory is supported by using Microsoft Graph. Windows LAPS includes a PowerShell cmdlet (Get-LapsAADPassword) that's a wrapper around the Microsoft Graph PowerShell library."
Yes…it works ☺️ LOL the question is after your devices Hybrid managed? If they are then you can choose to manage the passwords from AD or Azure AD. If you are Only Using traditional domain Join then you can’t use the new Windows LAPS
Can anyone confirm what the minimum on-prem server version must be? I'm seeing Server 2019, does this mean domain functional level of server 2019 too (if correct)?
I didn’t see that you needed to be on 2019 domain functional level in the docs, but servers version 2019 because you need certain windows components to make LAPS work.
Can we apply new MS LAPS to a sub group of privileged computers? like linking the Policy to an AU. The goal is to segregate who can access the passwords of those Admin Machines subset (Tier 0).
Great Question Adria, YES YOU CAN! In the Intune policy you can assign a specific group of devices to your policy then have another policy for another group of computers. On the AD side...same thing, but you control it by GPO and the OU / Sub-OUs where the GPO is assigned.
Hello Dean, we have been often facing azure virtual desktop login issue "the two computers couldn't connect in the amount of time allotted" please suggest if there is any possible solution.
I have seen that error when someone tries to connect to an AVD session host with the native windows RDP client. If you are, You should be using the AVD client instead. Make sure puppy have the latest version too. Also what version of windows is your session hosts?
thanks for that...is this happening on all your pools or just 1? Also do the users who have the issue have another pool that they can log into without issue? 3rd are you trying to use Single Sign On...if so how are you joined? AD, Hybrid or Azure AD?
@@AzureAcademythanks for asking, 1.The issue randomly happening across the pool however if go by number most of the issue coming from one perticular pool, 2. Users doesn't have access to other pool, never tried. 3. Yes, we are using SSO and it's hybrid.
If you mean use the admin account name feature to create the local admin account I don’t think so. You create the account when you build the device or the image
LAPS attributes are always empty so is the LAPS tab passwords. ..this is a very confusing and scuffed deployment- even from 10 different sources it still does not work
Hi, I have a query on for my support case where the Cx ĥas setup windows laps on DC to give read only permissions to the helpfesk group.But what happened was they were able to see the expire now button under laps dialog box . What can we do to disable it? Checked GPO for Laps but seen no issue
@@AzureAcademy in AD.where the windows LAPS expire now button for the computer is not greyed out. Is it a default behavior. I did not see any GPO for this to be disabled.
Great overview! Only thing missing is what to do for those of us who are already using the Legacy LAPS option and how to migrate without causing issues.
Legacy LAPS to Windows LAPS sounds like a good follow up video...I'll look into it 🤔👍
@4:24 - "click next & create your policy" ??????
what about "Scope Tags" & Assignments?
what about them?
Can´t be more objective, clear and to the point than this.
Thanks!
a very good description, well done, I have a question, how can I delegate the reading of passwords to a group that deals with technical support for PCs in AD ?
YES YOU CAN! There are already 3 built in roles that can read the LAPS Passwords.
Cloud Device Admin, Global Admin, Intune Admin.
Or you can create a custom role and assign the microsoft.directory/deviceLocalCredentials/password/read permissions to that group
Search for microsoft.directory/deviceLocalCredentials/password/read in this doc for those details 👉learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
@@AzureAcademy ok, this solution is for Azure AD but for on premise AD how can I delegate?
So you are doing AD managed Windows LAPS or legacy LAPS?
On the AD side the domain admins can view the passwords by default
learn.microsoft.com/en-us/powershell/module/laps/set-lapsadreadpasswordpermission?view=windowsserver2022-ps
learn.microsoft.com/en-us/powershell/module/laps/find-lapsadextendedrights?view=windowsserver2022-ps
Hi and thanks for the guide.
I have one followup question regarding LAPS. Is it good practice to login with your domain account (as standard user) to a machine and then use runas as the local administrator account with LAPS when you need to use local admin?
Or do you need to login with the Local administrator account for this to be best practice?
Thanks
That depends what you need to do. What are your tasks
Great Video, has explained a couple of things I didn't understand. One issue I have is that we're not fully transitioned to Azure AD Joined devices managed by Intune yet. We have AD-DS Hybrid Devices using LAPS via a Group Policy setup but we also have AAD Joined devices managed by Intune. If I turn on LAPS in Azure AD then how will this affect my hybrid devices managed by both Group Policy and Intune. I've read somewhere that the Hybrid devices managed by Intune will use Azure AD Laps and ignore any group policy configuration they may receive. Is that correct?
If you are using a non Azure AD version of LAPS nothing changes.
If you enable azure ad LAPS the question is enable for which scenario?
Intune could use the new LAPS while hybrid uses older laps
Nice video thanks! Do we need to use Intune at all? We have Entra ID managed ADDS - can we just deploy a GPO with the LAPS settings and have the passwords stored in Entra ID? Would we even need to turn on LAPS in Entra if we did it this way?
As I mentioned in the video you can totally do this updated version of LAPS with Active Directory and GPOs, then choose to store the passwords in AD or Entra ID
As usual great video Dean !
One question : i tried to activate on pooled AVD VMs, joined to Azure AD.
I did all configuration (Azure AD + Intune) but I do not see the "local admin password" menu.
Should I have to wait ?
Intune doesn’t ever do anything fast. On 1 of my computers it was available right away but on others I had to wait up to 15 minutes to see the password
@@AzureAcademy haha you are right :)
But even the "local admin password" menu is still not available even few hours after.
Only Azure AD LAPS activation and Password Protection profile is needed, right ?
Or AVD VMs (22h2) only joined to Azure AD does not support that feature ?
LAPS is a windows VM feature so it works on all modern windows VMs, even AVD VMs. Check Azure AD (Entra ID) devices see if the password is there.
Like I said Intune doesn’t do anything fast
We now don't use Intune or Azure features to manage our on-prem devices, is there any "legacy" videos you've made? I would like to start with the local LAPS first without destroying anything in prod now.
There is a legacy / AD GPO way to implement LAPS and manage from Active Directory that has been available for many years
This is the docs link and has multiple videos embedded in it to help you
learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
Thank You, simple in viewing but lots of details. Good job :)
Glad you liked it
Hav u made a video yet of creating a simple cloud network for small biz w 15 users?
How much Azure prowess would one need?
How much One needs will depend on what that Simple cloud network for a small biz will be doing.
I would watch one of my original videos on Azure Networking to get started th-cam.com/video/uGePuL5wPX0/w-d-xo.html After that the more you can tell me of what you will be doing the more I can help 😉
Hi I got a couple of questions
We are currently testing windows laps
When I turn it on and create a policy does windows laps passwords start automatically working on all our devices?
We want to test this first for a few weeks and tweak it just on a limited number of devices? I did not see you assigned this to a group or anything
Also we use both azure and and hybrid joined AD devices as we slowly transition all devices off class AD
Is it possible to use Windows laps on both? Simultaneously?
As long as you have the right version of windows, the LAPS agent is installed, then you just need to apply your policies. Can you use both simultaneously? Yes and No. 🤔
YES you can have both running in your company.
NO any single device can only have one of the LAPS policies at a time.
I have a customer site, they have LAPS enabled. I was asked to configure Azure SMB file shares + private endpoint and via site-to-site connectivity. also enable local AD authentication. work is done, question is as you know during the local AD bind with azure file share, it creates an active directory object (computer account) in the local AD. so if I right click that I can see the LAPS tab. so as you say is there any password expiration happening and will it break the azure authentication link?
Laps is configurable to change the password when you want. I would put this computer object in to its own OU and do not allow LAPS to reset the password at all, so you don’t interfere with the Azure share
I have a question, if you have a on-prem environment and the user takes their own laptop to work from home, obviously they don't have connection to the DC, Can I still use the local password? What would happen if the expire date arrive? I really love your video, thank you.
Yes you can use the local password, but what I think you are REALLY asking is if the password will still get rotated…the answer is MAYBE 🤣
If the laptop at home is online then it can communicate with Azure AD and possibly AD depending on how AD is set up and/or if you have a VPN but if you are using Azure AD and the Device can talk to Azure AD it will
Make sense?
Thanks for the great video. LAPS was (IMHO) always clunky and tricky to setup.
Your method - and the improvements made - look like a good walk way to get things straightened out.
Thx!
Awesome, thanks!
If i have multiple dc running win 2016 but one is 2012 will laps still function effectively in this environment?
LAPS in general will be ok because it is based of the domain / forest function level
However…your 2012 server is no longer supported and any LAPS client interacting with the 2012 server will have a diminished or non existent experience.
I suggestThe 2012 server should be deprecated and replaced with a newer version so you can remain fully supported
Against ransomware, will laps or paw be helpful?
Yes it would…but it depends on the type of ransomware.
LAPS sets each computer with a different local admin password.
So the bad guys can’t do lateral traversal attacks.
Does it require certain license for azure AD one like E5 to let intune works or doenst matter?
Nope, no license, no cost…just free added security ☺️
Thank you so much and one more question if i have main AD win server 2012r2 and another vm AD win srv 2019 will this work ?
2012 will not, 2019 will
learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status
And you should watch my video on server 2012 / domain controller upgrades
th-cam.com/video/GHm5ah7Wulo/w-d-xo.htmlsi=DaiM_-aS5JME0s5y
Hi I would like to ask if there is a way to prove LAPS changed its password, like an event log on both the host machine and in the AAD that will show its correlated or linked?
First off when you look at the users local admin password, the portal does show the date/time the password was updated, then it is also in the audit logs which I showed at 7:40 in the video
thank you very much! @@AzureAcademy
Anytime
What if the local admin in pc is disabled will it still work. Or need to enable it manually? what if during the time of setup windows created new local admin how to assign it. And how to prevent local admin acct from auto removed in admin groups joint to domain.
The local admin is disabled…in Azure the user named ADMINISTRATORS IS ALWAYS disabled.
However every vm you build has a local admin that you setup
Why would you want that account disabled
You should ALWAYS have a local admin account so you can get in if the domain relationship or the cloud join is broken
When newlysetup pc create another admin account. With new admin account can this be done via LAPs on prem.
Ok
How does Windows LAPs handle disabling trying to use a new custom local admin account? Can you just create a new local admin account with a new name and then give it the name in the Windows LAPs policy? You don’t need an Azure AD account correct? You just need to create a new local admin account and push it to the PCs and then give it the name in the Windows LAPs policy to tag it and manage it correct?
1. Yes you can create a new local admin account and keep it out of LAPS control or have LAPS protect it
2. No, Azure AD account is not required, LAPS is a windows / Local Admin thing
3. Yup, that’s how ya do it!
How can the end user see his password when he needs it? Do we need to use new powershell LAPS module and read it from Microsoft Graph? Thanks
Remember LAPS secured the local admin password, not the users passwords. The powershell module does read from the Microsoft graph API or you can use Active Directory or Intune to see the password
@@AzureAcademy sorry, I thought when standard user who is not local admin on the machine need to install something, in that case standard user would retrieve his local administrator password from Azure AD somehow? We have that in our on-prem environment, each standard user can get his local administrator password from AD(.exe app which uses powershell cmdlet in the background. Also we have ACL configured on each computer object so only owner of computer object can see local admin password for that computer).
"Retrieving Windows LAPS passwords stored in Azure Active Directory is supported by using Microsoft Graph. Windows LAPS includes a PowerShell cmdlet (Get-LapsAADPassword) that's a wrapper around the Microsoft Graph PowerShell library."
No, we don’t want a standard user to EVER have the local admin password. If we want them to have admin rights at all we’d give it to them
Correct. There are several ways to get the password depending on what tools you want to use
Is windows 2016 supported laps on premise?
Nope! Here is the supported OS List
learn.microsoft.com/en-us/entra/identity/devices/howto-manage-local-admin-passwords#operating-system-updates
Do you know what happens if you don't enable Windows Laps in Azure AD > Devices Settings? but still, create the policy in Intune?
Yes…it works ☺️ LOL the question is after your devices Hybrid managed? If they are then you can choose to manage the passwords from AD or Azure AD. If you are Only Using traditional domain Join then you can’t use the new Windows LAPS
So informative! Thanks so much ❤
Thanks for watching
Question if a computer is deleted can windows laps recover the local admin password to join it back to domain ?
If you have not deleted the AD /Azure AD device object…yes
Can anyone confirm what the minimum on-prem server version must be? I'm seeing Server 2019, does this mean domain functional level of server 2019 too (if correct)?
I didn’t see that you needed to be on 2019 domain functional level in the docs, but servers version 2019 because you need certain windows components to make LAPS work.
May I ask if this needs intune?
It does not require Intune
You can use traditional Active Directory or Entra ID
Awesome
You made it so simple.
Thanks ☺️
Thanks for watching!
Can we apply new MS LAPS to a sub group of privileged computers? like linking the Policy to an AU. The goal is to segregate who can access the passwords of those Admin Machines subset (Tier 0).
Great Question Adria, YES YOU CAN! In the Intune policy you can assign a specific group of devices to your policy then have another policy for another group of computers.
On the AD side...same thing, but you control it by GPO and the OU / Sub-OUs where the GPO is assigned.
Hello Dean, we have been often facing azure virtual desktop login issue "the two computers couldn't connect in the amount of time allotted" please suggest if there is any possible solution.
I have seen that error when someone tries to connect to an AVD session host with the native windows RDP client. If you are, You should be using the AVD client instead. Make sure puppy have the latest version too. Also what version of windows is your session hosts?
@@AzureAcademy we are using windows 10 version 21H2, Also we are trying to connect session host via AVD Client with the latest one(1.2.4240)
thanks for that...is this happening on all your pools or just 1?
Also do the users who have the issue have another pool that they can log into without issue?
3rd are you trying to use Single Sign On...if so how are you joined? AD, Hybrid or Azure AD?
@@AzureAcademythanks for asking, 1.The issue randomly happening across the pool however if go by number most of the issue coming from one perticular pool, 2. Users doesn't have access to other pool, never tried. 3. Yes, we are using SSO and it's hybrid.
Did you setup Azure AD Kerberos?
does this require intune?
No it does not, you can use Entra ID by itself or with Active Directory
phenominal tutorial. thank you.
Glad you liked it!
As usual great video, thanks for sharing.
Awesome! Thanks
Can LAPS also allow you to create admin account ?
If you mean use the admin account name feature to create the local admin account I don’t think so. You create the account when you build the device or the image
do you need to deploy agents to handle this LAPS?
Just like I showed in the video…it just works!
LAPS attributes are always empty so is the LAPS tab passwords. ..this is a very confusing and scuffed deployment- even from 10 different sources it still does not work
…are you using a supported operating system
we all know that was you curling those plates..
Yes…yes it was 🏋️♂️
Hi, I have a query on for my support case where the Cx ĥas setup windows laps on DC to give read only permissions to the helpfesk group.But what happened was they were able to see the expire now button under laps dialog box . What can we do to disable it? Checked GPO for Laps but seen no issue
Where do you see the expire now that you want to prevent the help desk from seeing it…in Azure or in Active Directory?
@@AzureAcademy in AD.where the windows LAPS expire now button for the computer is not greyed out. Is it a default behavior. I did not see any GPO for this to be disabled.
That is the default behavior, there are not roles at this time that are more restrictive
@@AzureAcademy 😊Thanks for the information
Anytime