Microsoft started rolling out its Patch Tuesday updates for Windows 10 and Windows 11 yesterday. One of the things mentioned in the Windows 11 changelog was a new Windows Local Administrator Password (LAPS) fix. . While Microsoft naturally didn’t go into much detail about this feature in its changelog, it did publish a dedicated blog post describing the change in detail.

For those who don’t know, before today, LAPs were only available as an MSI package that can be downloaded manually from the Microsoft Download Center. It was primarily used by IT administrators to secure local administrator accounts on deployed Windows devices, recover devices by logging in with a local administrator account, and manage identities on machines joined to Azure Active Directory, among other things things.

However, with the latest Patch Tuesday update rolling out yesterday, this variant of LAPS will now be referred to as “Legacy LAPS” as Microsoft has natively integrated the product directly into Windows. The Redmond tech giant says this was done due to “popular demand” and the inbox solution is now available on the following Windows SKUs:

• Windows 11 Pro, EDU and Enterprise
• Windows 10 Pro, EDU, and Enterprise
• Windows Server 2022 and Windows Server Core 2022
• Windows Server 2019

There are also several new features for Windows LAPS, they are listed below:

• LAPS supports Azure Active Directory (in private preview now, public preview coming soon)

  • Recovers passwords stored via Microsoft Graph.

  • Creates two new Microsoft Graph permissions to retrieve only the password “metadata” (i.e. for security monitoring applications) or the sensitive plaintext password itself.

  • Provides Azure role-based access control policies (Azure RBAC) for creating authorization policies for password recovery.

  • Includes Azure Management Portal support for password recovery and rotation.

  • Helps you manage the feature through Intune!

  • Automatic password rotation after account use.

• New features for on-premises Active Directory scenarios

  • Password Encryption: Dramatically improves the security of those sensitive secrets!

  • Password History: Gives you the option to reconnect to restored backup images.

  • Directory Services Restore Mode (DSRM) password backups: Help secure your domain controllers by rotating these critical recovery passwords regularly!

  • Emulation Mode: Useful if you want to continue using old LAPS policy settings and tools while preparing to migrate to new features!

  • Auto-Rotate: Automatically rotate the password after account use.

• New features for Azure AD and on-premises AD scenarios

  • Rich policy management is now available through Group Policy and Configuration Service Provider (CSP)

  • Rotating the Windows LAPS account password at the request of the Intune portal is very useful when, for example, handling a possible breach issue.

  • The dedicated event log is located under Applications and services. See Logs > Microsoft > Windows > LAPS > Operational for enhanced diagnostics.

  • The new PowerShell module includes improved management capabilities. For example, you can now rotate the password on demand using the new Reset-LapsPassword cmdlet!

  • Hybrid devices are fully supported.

The good thing for IT admins is that both versions of LAPS can currently co-exist, but Microsoft has recommended against using both to set up the same account, as this could lead to policy conflicts. You can start using the new LAPS on eligible deployments that have installed the April Patch Tuesday updates now.