Microsoft LAPS and Its Impact on Automated Network Discovery Solutions

icons8-azure azure cloud

Introduction to Microsoft LAPS

Local Administrator Password Solution (LAPS) is a Microsoft tool designed to enhance security by managing local administrator passwords on domain-joined computers. LAPS provides a way to automatically generate unique, complex passwords for the local administrator account on each managed device and securely store them in a centralized location. IT administrators can retrieve these passwords as needed, reducing the risks associated with static or shared credentials.

Key benefits of LAPS include:

  • Improved Security: Ensures that local administrator accounts have unique, regularly rotated passwords.
  • Compliance: Helps organizations meet regulatory and internal security requirements.
  • Reduced Attack Surface: Mitigates the risk of lateral movement in the event of a credential compromise.
  • Automated Management: Reduces administrative overhead by automating password changes and storage.

Legacy LAPS

The older version of LAPS, commonly referred to as “legacy LAPS,” is an on-premises solution that integrates with Active Directory (AD). It requires an agent to be installed on each managed endpoint, which facilitates the generation and storage of local administrator passwords in AD.

How Legacy LAPS Works:

  1. A Group Policy Object (GPO) is used to configure LAPS settings across domain-joined machines.
  2. The client-side LAPS agent generates a unique password and stores it in the computer object in Active Directory.
  3. IT administrators can access the stored passwords via PowerShell or a dedicated LAPS management UI.

Challenges with Legacy LAPS:

  • Requires on-premises Active Directory infrastructure.
  • Limited scalability for hybrid or cloud environments.
  • Manual deployment of the LAPS client agent.
  • Potential for misconfiguration leading to security gaps.
  • Legacy LAPS store the password but not the account name. This creates issues logging in since the built-in administrator account might vary for different languages.

The New Microsoft LAPS

With Windows 11 and newer versions of Windows 10, Microsoft introduced an updated version of LAPS that is natively integrated into the operating system. This eliminates the need for a separate client installation and offers more flexibility in where passwords are stored. Furthermore, it also provides the account name that was missing in the previous versions.

Two Storage Options for the New LAPS

  1. Active Directory (On-Premises) Storage
    • The new LAPS can still store passwords in on-premises Active Directory, similar to the legacy version, but with additional improvements such as enhanced logging and audit capabilities.
    • Configuration is done via Group Policy or Intune, and administrators can manage passwords using familiar tools like PowerShell.
    • Suitable for organizations with an existing AD infrastructure looking for a seamless upgrade path.
    • Offers greater control over password policies and access permissions.
  2. Microsoft Intune (Cloud) Storage
    • A major enhancement in the new LAPS is the ability to store local administrator passwords securely in Microsoft Intune.
    • This cloud-based approach allows for centralized password management across hybrid and cloud environments.
    • IT administrators can access stored passwords via the Microsoft Endpoint Manager (MEM) portal.
    • Provides enhanced visibility and control for remote workforce management.
    • Ideal for organizations moving towards a cloud-first strategy or managing remote endpoints.

Key Improvements in the New LAPS:

  • Built-in support within the operating system.
  • Enhanced audit logging for improved compliance.
  • Improved management through Intune, reducing dependency on traditional on-prem AD.
  • Automated password expiration and rotation.
  • Improved encryption methods for secure password storage.
  • Provides the local administrator’s account in addition to its password.

Impact on Automated Network Discovery Solutions like JDisc Discovery

Automated network discovery solutions like JDisc Discovery rely on credential-based access to gather system information. Usually, agent-less network discovery tools have a way to define access credentials for domains or Active Directory organizational units. The disadvantage is that you have ONE password that grants access to all Windows computers within an organization. Therefore, many customers switch to Microsoft LAPS, where each Windows computer has its local administrator password. While this increases security, it makes the life of network discovery tools more challenging. Thousands of Windows computers make it impossible to configure each device’s local admin account and password individually. Furthermore, regular password rotation would increase the effort to keep the passwords in the discovery tool and LAPS in sync. The introduction of Microsoft LAPS presents both challenges and opportunities for such tools.

Challenges:

  • Password Rotation: Automated tools must continuously update their credential database to stay in sync with the rotated passwords managed by LAPS.
  • Access Control: Organizations must carefully manage access permissions to LAPS-stored passwords to prevent unauthorized access.
  • Integration Complexity: Discovery tools may require updates or extensions to support new LAPS retrieval mechanisms.
  • Downtime Risks: Improper synchronization with LAPS could lead to discovery failures or incomplete asset data collection.

Opportunities:

  • Enhanced Security Posture: Integration with LAPS ensures that automated tools follow the same security best practices.
  • Automation Possibilities: Solutions like JDisc Discovery can potentially leverage APIs to retrieve LAPS-managed credentials for discovery tasks programmatically.
  • Improved Compliance: Organizations can meet security compliance requirements by enforcing password policies across all systems, including those discovered by automated tools.
  • Scalability: Enables large-scale environments to manage passwords dynamically without manual intervention.

How does JDisc Discovery deal with LAPS and its Flavors?

JDisc Discovery has supported LAPS for quite some time, and we continuously adapt our software as LAPS evolves. What guiding principles do we follow when using LAPS? The most important principle is that we do not store local administrator passwords in our database. For obvious security reasons, IT departments prefer to avoid storing administrative credentials across multiple tools. Instead, we retrieve the current credentials only when needed—for example, during a scan of a specific computer that utilizes LAPS.

Legacy LAPS

Let’s take a look at how JDisc Discovery handles legacy LAPS. This was the first version of LAPS that required installation on top of the operating system and running scripts to extend the Active Directory (AD) schema. Once installed on client computers, the LAPS software generates a local administrator password and securely stores it in a dedicated location within Microsoft Active Directory. Authorized AD users can then retrieve the local administrator password using LDAP queries.

One of the biggest challenges for network discovery tools with legacy LAPS is that it stores only the local administrator’s password—but not the associated account name. This means that while JDisc Discovery can retrieve the password, a valid account name is also needed to connect via WMI or other protocols. By default, we assume the account name is “Administrator.” However, this can be customized, and it may vary depending on the system language (e.g., a French version of Windows).

To use legacy LAPS effectively, two key pieces of information are required:

  • An account and password for a user authorized to read the local administrator password from Active Directory via LDAP.
  • The local administrator’s account name (if it differs from the default “Administrator”).

To configure LAPS in JDisc Discovery, open the discovery configuration dialog and navigate to the LAPS tab. Here, you can specify the credentials of the user authorized to read LAPS passwords. Next, select the organizational unit (OU) where you want to use LAPS accounts. Click Change LAPS Account to enter the username and password of an authorized user who has permission to read the current LAPS passwords for the computers in that OU.

In the example below, we configure the account “JDISC\LAPS-READER” to retrieve passwords for computers within the organizational unit “France.”

Configure LAPS local admin password access in JDisc Discovery

As we mentioned before, the legacy LAPS version does not provide name for the local administrator account. By default, we use “Administrator”. However, admins can change this account and furthermore its default is also language dependent. So for France, the default is “Administrateur”. So we have to define the account name for the local administrator:

Configure the local administrator account to be used with LAPS.

With this configuration, we will use the account “JDISC\LAPS-READER” to read the local administrator’s password using LDAP. When we have the password, then we will use the accounts in the local administrator account list to connect to the target device. The password is not stored at all in the JDisc Discovery database. It is only used to scan the computer.

Current LAPS Version

Microsoft has decided to integrate LAPS in its operating system to simplify its configuration and deployment. Furthermore, it adds EntraID as a store for the local administrator credentials in addition to the local Microsoft Active Directory. Furthermore, administrators can optionally encrypt the password when it gets stored within AD. In order to use it, you need to decrypt the password that you read from AD. And luckily, they have also added the account name to LAPS. So now, you can obtain the local administrator’s account name AND the password.

Credentials stored within AD

Using the current LAPS version simplifies the configuration within JDisc Discovery. It is no longer necessary to define the local administrator’s account name since the current LAPS version also provides the account name via LDAP.

So, you only need to configure the account name and password for the user with permission to read the local administrator’s username and password using LDAP.

Credentials stored within EntraID in the Cloud

JDisc Discovery has recently enhanced its EntraID discovery capabilities. In addition to getting more details about the groups and administrative units, we have also added support for LAPS when the local administrator’s account and password is stored within the Azure cloud in its EntraID.

When you have configured access to the Azure portal by creating an application and a secret, JDisc Discovery can access the device local administrator credentials when the application has the permission DeviceLocalCredential.Read.All. So whenever we can a Windows computer and we know that it is managed by Intune and the LAPS password is stored within the EntraID, then we are able to obtain the  current administrator’s account name and password using the MS Graph API.

Conclusion

Microsoft LAPS has evolved from a standalone security solution to a fully integrated component within modern Windows operating systems. IT administrators have powerful tools to enhance security and compliance, whether using the legacy LAPS or the new built-in version with cloud capabilities.

For automated network discovery solutions like JDisc Discovery, adapting to the new LAPS landscape is crucial to maintaining seamless operations while ensuring adherence to organizational security policies. By leveraging new capabilities and integrating with LAPS, these tools can continue to provide valuable insights into IT environments without compromising security.

The adoption of LAPS as a standard security practice improves security and streamlines administrative tasks, allowing IT teams to focus on strategic initiatives while maintaining robust endpoint security.

Hope you like that explanation…

Cheers,
Thomas

About The Author

Thomas Trenz
I own and manage JDisc and its network inventory and discovery products. Before I started JDisc, I worked quite a long time for Hewlett-Packard developing software for network assessments and inventory projects. Feel free to contact me on Linked-In or Xing.

Leave A Comment