Great overview! Only thing missing is what to do for those of us who are already using the Legacy LAPS option and how to migrate without causing issues.
Thanks for the great video. LAPS was (IMHO) always clunky and tricky to setup. Your method - and the improvements made - look like a good walk way to get things straightened out. Thx!
Hi I got a couple of questions We are currently testing windows laps When I turn it on and create a policy does windows laps passwords start automatically working on all our devices? We want to test this first for a few weeks and tweak it just on a limited number of devices? I did not see you assigned this to a group or anything Also we use both azure and and hybrid joined AD devices as we slowly transition all devices off class AD Is it possible to use Windows laps on both? Simultaneously?
As long as you have the right version of windows, the LAPS agent is installed, then you just need to apply your policies. Can you use both simultaneously? Yes and No. 🤔 YES you can have both running in your company. NO any single device can only have one of the LAPS policies at a time.
a very good description, well done, I have a question, how can I delegate the reading of passwords to a group that deals with technical support for PCs in AD ?
YES YOU CAN! There are already 3 built in roles that can read the LAPS Passwords. Cloud Device Admin, Global Admin, Intune Admin. Or you can create a custom role and assign the microsoft.directory/deviceLocalCredentials/password/read permissions to that group Search for microsoft.directory/deviceLocalCredentials/password/read in this doc for those details 👉learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
So you are doing AD managed Windows LAPS or legacy LAPS? On the AD side the domain admins can view the passwords by default learn.microsoft.com/en-us/powershell/module/laps/set-lapsadreadpasswordpermission?view=windowsserver2022-ps learn.microsoft.com/en-us/powershell/module/laps/find-lapsadextendedrights?view=windowsserver2022-ps
Nice video thanks! Do we need to use Intune at all? We have Entra ID managed ADDS - can we just deploy a GPO with the LAPS settings and have the passwords stored in Entra ID? Would we even need to turn on LAPS in Entra if we did it this way?
As I mentioned in the video you can totally do this updated version of LAPS with Active Directory and GPOs, then choose to store the passwords in AD or Entra ID
As usual great video Dean ! One question : i tried to activate on pooled AVD VMs, joined to Azure AD. I did all configuration (Azure AD + Intune) but I do not see the "local admin password" menu. Should I have to wait ?
Intune doesn’t ever do anything fast. On 1 of my computers it was available right away but on others I had to wait up to 15 minutes to see the password
@@AzureAcademy haha you are right :) But even the "local admin password" menu is still not available even few hours after. Only Azure AD LAPS activation and Password Protection profile is needed, right ? Or AVD VMs (22h2) only joined to Azure AD does not support that feature ?
LAPS is a windows VM feature so it works on all modern windows VMs, even AVD VMs. Check Azure AD (Entra ID) devices see if the password is there. Like I said Intune doesn’t do anything fast
Great Video, has explained a couple of things I didn't understand. One issue I have is that we're not fully transitioned to Azure AD Joined devices managed by Intune yet. We have AD-DS Hybrid Devices using LAPS via a Group Policy setup but we also have AAD Joined devices managed by Intune. If I turn on LAPS in Azure AD then how will this affect my hybrid devices managed by both Group Policy and Intune. I've read somewhere that the Hybrid devices managed by Intune will use Azure AD Laps and ignore any group policy configuration they may receive. Is that correct?
If you are using a non Azure AD version of LAPS nothing changes. If you enable azure ad LAPS the question is enable for which scenario? Intune could use the new LAPS while hybrid uses older laps
I have a question, if you have a on-prem environment and the user takes their own laptop to work from home, obviously they don't have connection to the DC, Can I still use the local password? What would happen if the expire date arrive? I really love your video, thank you.
Yes you can use the local password, but what I think you are REALLY asking is if the password will still get rotated…the answer is MAYBE 🤣 If the laptop at home is online then it can communicate with Azure AD and possibly AD depending on how AD is set up and/or if you have a VPN but if you are using Azure AD and the Device can talk to Azure AD it will Make sense?
We now don't use Intune or Azure features to manage our on-prem devices, is there any "legacy" videos you've made? I would like to start with the local LAPS first without destroying anything in prod now.
There is a legacy / AD GPO way to implement LAPS and manage from Active Directory that has been available for many years This is the docs link and has multiple videos embedded in it to help you learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
Yes it would…but it depends on the type of ransomware. LAPS sets each computer with a different local admin password. So the bad guys can’t do lateral traversal attacks.
How much One needs will depend on what that Simple cloud network for a small biz will be doing. I would watch one of my original videos on Azure Networking to get started ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-uGePuL5wPX0.html After that the more you can tell me of what you will be doing the more I can help 😉
I have a customer site, they have LAPS enabled. I was asked to configure Azure SMB file shares + private endpoint and via site-to-site connectivity. also enable local AD authentication. work is done, question is as you know during the local AD bind with azure file share, it creates an active directory object (computer account) in the local AD. so if I right click that I can see the LAPS tab. so as you say is there any password expiration happening and will it break the azure authentication link?
Laps is configurable to change the password when you want. I would put this computer object in to its own OU and do not allow LAPS to reset the password at all, so you don’t interfere with the Azure share
LAPS in general will be ok because it is based of the domain / forest function level However…your 2012 server is no longer supported and any LAPS client interacting with the 2012 server will have a diminished or non existent experience. I suggestThe 2012 server should be deprecated and replaced with a newer version so you can remain fully supported
How does Windows LAPs handle disabling trying to use a new custom local admin account? Can you just create a new local admin account with a new name and then give it the name in the Windows LAPs policy? You don’t need an Azure AD account correct? You just need to create a new local admin account and push it to the PCs and then give it the name in the Windows LAPs policy to tag it and manage it correct?
1. Yes you can create a new local admin account and keep it out of LAPS control or have LAPS protect it 2. No, Azure AD account is not required, LAPS is a windows / Local Admin thing 3. Yup, that’s how ya do it!
What if the local admin in pc is disabled will it still work. Or need to enable it manually? what if during the time of setup windows created new local admin how to assign it. And how to prevent local admin acct from auto removed in admin groups joint to domain.
The local admin is disabled…in Azure the user named ADMINISTRATORS IS ALWAYS disabled. However every vm you build has a local admin that you setup Why would you want that account disabled You should ALWAYS have a local admin account so you can get in if the domain relationship or the cloud join is broken
Yes…it works ☺️ LOL the question is after your devices Hybrid managed? If they are then you can choose to manage the passwords from AD or Azure AD. If you are Only Using traditional domain Join then you can’t use the new Windows LAPS
Hi I would like to ask if there is a way to prove LAPS changed its password, like an event log on both the host machine and in the AAD that will show its correlated or linked?
First off when you look at the users local admin password, the portal does show the date/time the password was updated, then it is also in the audit logs which I showed at 7:40 in the video
Can we apply new MS LAPS to a sub group of privileged computers? like linking the Policy to an AU. The goal is to segregate who can access the passwords of those Admin Machines subset (Tier 0).
Great Question Adria, YES YOU CAN! In the Intune policy you can assign a specific group of devices to your policy then have another policy for another group of computers. On the AD side...same thing, but you control it by GPO and the OU / Sub-OUs where the GPO is assigned.
Can anyone confirm what the minimum on-prem server version must be? I'm seeing Server 2019, does this mean domain functional level of server 2019 too (if correct)?
I didn’t see that you needed to be on 2019 domain functional level in the docs, but servers version 2019 because you need certain windows components to make LAPS work.
Remember LAPS secured the local admin password, not the users passwords. The powershell module does read from the Microsoft graph API or you can use Active Directory or Intune to see the password
@@AzureAcademy sorry, I thought when standard user who is not local admin on the machine need to install something, in that case standard user would retrieve his local administrator password from Azure AD somehow? We have that in our on-prem environment, each standard user can get his local administrator password from AD(.exe app which uses powershell cmdlet in the background. Also we have ACL configured on each computer object so only owner of computer object can see local admin password for that computer).
"Retrieving Windows LAPS passwords stored in Azure Active Directory is supported by using Microsoft Graph. Windows LAPS includes a PowerShell cmdlet (Get-LapsAADPassword) that's a wrapper around the Microsoft Graph PowerShell library."
Hello Dean, we have been often facing azure virtual desktop login issue "the two computers couldn't connect in the amount of time allotted" please suggest if there is any possible solution.
I have seen that error when someone tries to connect to an AVD session host with the native windows RDP client. If you are, You should be using the AVD client instead. Make sure puppy have the latest version too. Also what version of windows is your session hosts?
thanks for that...is this happening on all your pools or just 1? Also do the users who have the issue have another pool that they can log into without issue? 3rd are you trying to use Single Sign On...if so how are you joined? AD, Hybrid or Azure AD?
@@AzureAcademythanks for asking, 1.The issue randomly happening across the pool however if go by number most of the issue coming from one perticular pool, 2. Users doesn't have access to other pool, never tried. 3. Yes, we are using SSO and it's hybrid.
2012 will not, 2019 will learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status And you should watch my video on server 2012 / domain controller upgrades ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-GHm5ah7Wulo.htmlsi=DaiM_-aS5JME0s5y
If you mean use the admin account name feature to create the local admin account I don’t think so. You create the account when you build the device or the image
LAPS attributes are always empty so is the LAPS tab passwords. ..this is a very confusing and scuffed deployment- even from 10 different sources it still does not work
Hi, I have a query on for my support case where the Cx ĥas setup windows laps on DC to give read only permissions to the helpfesk group.But what happened was they were able to see the expire now button under laps dialog box . What can we do to disable it? Checked GPO for Laps but seen no issue
@@AzureAcademy in AD.where the windows LAPS expire now button for the computer is not greyed out. Is it a default behavior. I did not see any GPO for this to be disabled.