About Windows LAPS
Managing local administrator accounts has always been a critical yet challenging task for IT administrators. With the introduction of Windows Local Administrator Password Solution (LAPS) Automatic Account Management, Microsoft provides a streamlined, secure, and automated method to handle these accounts.
Starting with Windows 11 version 24H2 and Windows Server 2025, LAPS is now natively integrated into the operating system, eliminating the need to install additional agents or MSI packages.
Supported Systems (with built-in LAPS)
| Operating System | Built-in Windows LAPS | Password Rotation | Azure AD Support | Automatic Account Management | Notes |
|---|---|---|---|---|---|
| Windows 11 (22H2) | ✅ Yes (with April 11, 2023 update) | ✅ Yes | ✅ Yes | ❌ No | Supports core features only |
| Windows 11 (23H2) | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | Same as 22H2 |
| Windows 11 (24H2) | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | Full feature set |
| Windows 10 (April 2023 update or later) | ✅ Yes (built-in) | ✅ Yes | ✅ Yes | ❌ No | Automatic mode not supported |
| Windows Server 2022 (April 2023 update) | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | Same as Windows 10/11 22H2 |
| Windows Server 2025 (Preview) | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | Full support |
| Windows Server 2019 / 2016 / 2012 R2 | ❌ No (use legacy LAPS MSI) | ✅ Yes (with legacy LAPS) | ❌ No | ❌ No | Legacy only |
What is Windows LAPS Automatic Account Management?
Windows LAPS is a security feature that automates the management of local administrator accounts by regularly rotating passwords and securely storing them in Active Directory (AD) or Azure AD.
The new Automatic Account Management mode builds on this by also automating the creation, naming, enabling/disabling, and lifecycle management of the local administrator account, helping reduce administrative overhead while improving endpoint security.
Key Features of Automatic Account Management
1. Automated Account Lifecycle
- LAPS can automatically create a local administrator account if it doesn't exist.
- It can enable or disable the account based on policy settings.
- Important: LAPS does not automatically delete the account. If the policy is removed, the account remains and must be manually deleted if no longer needed.
2. Flexible Account Targeting
- Admins can choose to manage either:
- The built-in Administrator account, or
- A custom administrator account (e.g.,
adminlaps)
- Configuration is done via GPO or Intune using the
AutomaticAccountNameandAccountManagementpolicy settings.
3. Account Name Randomization
- If a custom admin account is used, the account name can be randomized with a prefix and a unique suffix (e.g.,
adminlaps_4g7c9h). - This does not apply to the built-in
Administratoraccount.
4. Password Rotation and Secure Storage
- LAPS automatically rotates the account password based on the defined interval.
- Passwords are stored securely in either Active Directory or Azure AD, and access to them is controlled via ACLs or RBAC.
5. Tamper Protection
- The managed account is automatically added to the local Administrators group.
- LAPS enforces tamper resistance—even in Safe Mode, ensuring attackers cannot bypass local protections.
How to Configure Automatic Account Management
You can configure these features using Group Policy or Microsoft Intune.
GPO Path:
Computer Configuration > Administrative Templates > System > LAPS
Example 1: Managing the Built-in Administrator Account
- The policy is set to manage the built-in local Administrator account.
- No account name is specified (not needed).
- “Enable the managed account” is unchecked because the built-in account already exists.
- Name randomization is optional but has no effect on the built-in account.
Why this matters:
Many organizations still use the built-in account for maintenance. With LAPS, you can now automatically rotate its password and store it securely—without deploying any extra software.
.png)
Example 2: Managing a Custom Admin Account
- The policy is set to manage a custom local admin account (e.g.,
adminlaps). - “Enable the managed account” is checked so LAPS can create or re-enable the account.
- Name randomization is also enabled, so accounts will be named like
adminlaps_ABC123.
Why this matters:
Using dedicated, randomized admin accounts helps limit lateral movement and improves endpoint hardening. It’s a best practice for enterprise and hybrid environments.
.png)
Manual Mode vs Automatic Mode
| Feature | Manual Mode | Automatic Mode | Explanation |
|---|---|---|---|
| Password controlled by Windows LAPS | ✅ Yes | ✅ Yes | Both modes let LAPS manage and rotate the password. |
| IT admin can customize the account | ✅ Yes | ❌ No | Manual mode allows full control over account creation and management. |
| Supports automatic account creation | ❌ No | ✅ Yes | Only Automatic mode creates the account if missing. |
| Supports automatic account naming | ❌ No | ✅ Yes | Randomized naming is handled by LAPS only in Automatic mode. |
| Supports automatic account enablement/disablement | ❌ No | ✅ Yes | LAPS can enable or disable the account based on policy. |
| Supports automatic account name randomization | ❌ No | ✅ Yes | Reduces predictability and improves security. |
| Supports integration with local account policies | ❌ No | ✅ Yes | Automatic mode enforces group membership and DACL hardening. |
Reminder: Choose the mode that best fits your operational model. Automatic mode simplifies but limits customization; manual mode gives more control but needs more setup.
How to configure those modes?
Manual Mode :
LAPS only manages the password.
You create the account yourself.
What to do:
In Group Policy, go to:- Configure password backup directory → Enabled
- Choose Active Directory or Azure AD
- AdministratorAccountName
- Leave empty → it will manage the built-in Administrator
- Put a name (like
AdminCustom) → it will manage your custom account - But you must create that account yourself, LAPS won’t do it.
Automatic Mode:
LAPS creates and manages everything: account, password, even name.
What to do:
In Group Policy, go to:Computer Configuration > Administrative Templates > System > LAP
- Configure password backup directory → Enabled
- Choose Active Directory or Azure AD
Set this:
- Configure managed account → Enabled
- Choose:
- Built-in or custom account
- Enable or disable the account
- Randomize the name or not
- Choose:
Benefits of Automatic Account Management
- Simplified Administration : Automates password rotation and account management—less manual intervention.
Improved Securit :
Strong, unique passwords and randomized account names reduce attack surface.
Native Integration :
Built into Windows 11 24H2 and Server 2025; works with GPO, Intune, and Entra/Azure AD.Policy-Driven Consistency :
Ensures secure and standardized account management across all managed endpoints.
Use Cases for Automatic Mode
- Organizations managing thousands of endpoints with local admin access.
- Scenarios requiring compliance with rotating credentials and logging access.
- Environments with both on-prem AD and Azure AD join setups.
- Admins seeking secure local break-glass or remote support access accounts.
Conclusion
Windows LAPS Automatic Account Management is a major evolution in securing local administrator accounts. It brings full automation—from account creation to password storage—without third-party tools or legacy scripts.
Whether you're securing endpoints in a small office or across a global enterprise, LAPS gives you the control and compliance needed for modern cybersecurity demands.