LAPS CSP
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see Configure policy settings for Windows LAPS.
Note
For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Microsoft Entra LAPS scenario, see Windows LAPS availability and Microsoft Entra LAPS public preview status.
Tip
This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see Windows Local Administrator Password Solution.
The following list shows the LAPS configuration service provider nodes:
- ./Device/Vendor/MSFT/LAPS
- Actions
- Policies
- ADEncryptedPasswordHistorySize
- AdministratorAccountName
- ADPasswordEncryptionEnabled
- ADPasswordEncryptionPrincipal
- AutomaticAccountManagementEnableAccount
- AutomaticAccountManagementEnabled
- AutomaticAccountManagementNameOrPrefix
- AutomaticAccountManagementRandomizeName
- AutomaticAccountManagementTarget
- BackupDirectory
- PassphraseLength
- PasswordAgeDays
- PasswordComplexity
- PasswordExpirationProtectionEnabled
- PasswordLength
- PostAuthenticationActions
- PostAuthenticationResetDelay
Actions
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Actions
Defines the parent interior node for all action-related settings in the LAPS CSP.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Actions/ResetPassword
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Actions/ResetPassword
Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
Description framework properties:
Property name | Property value |
---|---|
Format | null |
Access Type | Exec |
Actions/ResetPasswordStatus
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Actions/ResetPasswordStatus
Use this setting to query the status of the last submitted ResetPassword execute action.
The value returned is an HRESULT code:
- S_OK (0x0): The last submitted ResetPassword action succeeded.
- E_PENDING (0x8000000): The last submitted ResetPassword action is still executing.
- Other: The last submitted ResetPassword action encountered the returned error.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Get |
Default Value | 0 |
Policies
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies
Root node for LAPS policies.
Description framework properties:
Property name | Property value |
---|---|
Format | node |
Access Type | Get |
Atomic Required | True |
Policies/ADEncryptedPasswordHistorySize
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize
Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
Important
This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-12] |
Default Value | 0 |
Dependency [BackupDirectory] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/BackupDirectory Dependency Allowed Value: 2 Dependency Allowed Value Type: ENUM |
Policies/AdministratorAccountName
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName
Use this setting to configure the name of the managed local administrator account.
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
If specified, the specified account's password will be managed.
Note if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting won't cause the account to be created.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Policies/ADPasswordEncryptionEnabled
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled
Use this setting to configure whether the password is encrypted before being stored in Active Directory.
This setting is ignored if the password is currently being stored in Microsoft Entra ID.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before being stored in Active Directory.
If this setting is disabled, or the Active Directory domain doesn't meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
If not specified, this setting defaults to True.
Important
This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | True |
Dependency [BackupDirectory] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/BackupDirectory Dependency Allowed Value: 2 Dependency Allowed Value Type: ENUM |
Allowed values:
Value | Description |
---|---|
false | Store the password in clear-text form in Active Directory. |
true (Default) | Store the password in encrypted form in Active Directory. |
Policies/ADPasswordEncryptionPrincipal
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal
Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
This setting is ignored if the password is currently being stored in Microsoft Entra ID.
If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.
Important
This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
S-1-5-21-2127521184-1604012920-1887927527-35197
contoso\LAPSAdmins
[email protected]
The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Dependency [BackupDirectory] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/BackupDirectory Dependency Allowed Value: 2 Dependency Allowed Value Type: ENUM |
Policies/AutomaticAccountManagementEnableAccount
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
Use this setting to configure whether the automatically managed account is enabled or disabled.
If this setting is enabled, the target account will be enabled.
If this setting is disabled, the target account will be disabled.
If not specified, this setting defaults to False.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | False |
Dependency [AutomaticAccountManagementEnabled] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled Dependency Allowed Value: true Dependency Allowed Value Type: ENUM |
Allowed values:
Value | Description |
---|---|
False (Default) | The target account will be disabled. |
True | The target account will be enabled. |
Policies/AutomaticAccountManagementEnabled
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
Use this setting to specify whether automatic account management is enabled.
If this setting is enabled, the target account will be automatically managed.
If this setting is disabled, the target account won't be automatically managed.
If not specified, this setting defaults to False.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | False |
Allowed values:
Value | Description |
---|---|
false (Default) | The target account won't be automatically managed. |
true | The target account will be automatically managed. |
Policies/AutomaticAccountManagementNameOrPrefix
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
Use this setting to configure the name or prefix of the managed local administrator account.
If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Dependency [AutomaticAccountManagementEnabled] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled Dependency Allowed Value: true Dependency Allowed Value Type: ENUM |
Policies/AutomaticAccountManagementRandomizeName
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
If this setting is enabled, the name of the target account will use a random numeric suffix.
If this setting is disbled, the name of the target account won't use a random numeric suffix.
If not specified, this setting defaults to False.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | False |
Dependency [AutomaticAccountManagementEnabled] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled Dependency Allowed Value: true Dependency Allowed Value Type: ENUM |
Allowed values:
Value | Description |
---|---|
False (Default) | The name of the target account won't use a random numeric suffix. |
True | The name of the target account will use a random numeric suffix. |
Policies/AutomaticAccountManagementTarget
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
Use this setting to configure which account is automatically managed.
The allowable settings are:
0=The builtin administrator account will be managed.
1=A new account created by Windows LAPS will be managed.
If not specified, this setting will default to 1.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 1 |
Dependency [AutomaticAccountManagementEnabled] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled Dependency Allowed Value: true Dependency Allowed Value Type: ENUM |
Allowed values:
Value | Description |
---|---|
0 | Manage the built-in administrator account. |
1 (Default) | Manage a new custom administrator account. |
Policies/BackupDirectory
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
Use this setting to configure which directory the local admin account password is backed up to.
The allowable settings are:
0=Disabled (password won't be backed up) 1=Backup the password to Microsoft Entra ID only 2=Backup the password to Active Directory only.
If not specified, this setting will default to 0.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | Disabled (password won't be backed up). |
1 | Backup the password to Microsoft Entra ID only. |
2 | Backup the password to Active Directory only. |
Policies/PassphraseLength
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/LAPS/Policies/PassphraseLength
Use this setting to configure the number of passphrase words.
If not specified, this setting will default to 6 words.
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [3-10] |
Default Value | 6 |
Dependency [PasswordComplexity] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/PasswordComplexity Dependency Allowed Value: [6-8] Dependency Allowed Value Type: Range |
Policies/PasswordAgeDays
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
Use this policy to configure the maximum password age of the managed local administrator account.
If not specified, this setting will default to 30 days.
This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
This setting has a maximum allowed value of 365 days.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [1-365] |
Default Value | 30 |
Dependency [BackupDirectoryAADMode BackupDirectoryADMode] | Dependency Type: DependsOn DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/BackupDirectory Vendor/MSFT/LAPS/Policies/BackupDirectory Dependency Allowed Value: Dependency Allowed Value Type: ENUM ENUM |
Policies/PasswordComplexity
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
Use this setting to configure password complexity of the managed local administrator account.
The allowable settings are:
1=Large letters 2=Large letters + small letters 3=Large letters + small letters + numbers 4=Large letters + small letters + numbers + special characters 5=Large letters + small letters + numbers + special characters (improved readability) 6=Passphrase (long words) 7=Passphrase (short words) 8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See https://go.microsoft.com/fwlink/?linkid=2255471 for more information.
Important
Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 4 |
Allowed values:
Value | Description |
---|---|
1 | Large letters. |
2 | Large letters + small letters. |
3 | Large letters + small letters + numbers. |
4 (Default) | Large letters + small letters + numbers + special characters. |
5 | Large letters + small letters + numbers + special characters (improved readability). |
6 | Passphrase (long words). |
7 | Passphrase (short words). |
8 | Passphrase (short words with unique prefixes). |
Policies/PasswordExpirationProtectionEnabled
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled
Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
If not specified, this setting defaults to True.
Important
This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
Description framework properties:
Property name | Property value |
---|---|
Format | bool |
Access Type | Add, Delete, Get, Replace |
Default Value | True |
Dependency [BackupDirectory] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/BackupDirectory Dependency Allowed Value: 2 Dependency Allowed Value Type: ENUM |
Allowed values:
Value | Description |
---|---|
false | Allow configured password expiration timestamp to exceed maximum password age. |
true (Default) | Don't allow configured password expiration timestamp to exceed maximum password age. |
Policies/PasswordLength
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
Use this setting to configure the length of the password of the managed local administrator account.
If not specified, this setting will default to 14 characters.
This setting has a minimum allowed value of 8 characters.
This setting has a maximum allowed value of 64 characters.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [8-64] |
Default Value | 14 |
Dependency [PasswordComplexity] | Dependency Type: DependsOn Dependency URI: Vendor/MSFT/LAPS/Policies/PasswordComplexity Dependency Allowed Value: [1-5] Dependency Allowed Value Type: Range |
Policies/PostAuthenticationActions
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
Use this setting to specify the actions to take upon expiration of the configured grace period.
If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
Important
The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.
Important
From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 3 |
Allowed values:
Value | Description |
---|---|
1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
11 | Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. |
Policies/PostAuthenticationResetDelay
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ [10.0.20348.1663] and later ✅ [10.0.25145] and later ✅ Windows 10, version 1809 [10.0.17763.4244] and later ✅ Windows 10, version 2004 [10.0.19041.2784] and later ✅ Windows 11, version 21H2 [10.0.22000.1754] and later ✅ Windows 11, version 22H2 [10.0.22621.1480] and later |
./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
If not specified, this setting will default to 24 hours.
This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
This setting has a maximum allowed value of 24 hours.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Allowed Values | Range: [0-24] |
Default Value | 24 |
Settings Applicability
The LAPS CSP can be used to manage devices that are either joined to Microsoft Entra ID or joined to both Microsoft Entra ID and Active Directory (hybrid-joined). The LAPS CSP manages a mix of Microsoft Entra-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
Setting name | Azure-joined | Hybrid-joined |
---|---|---|
BackupDirectory | Yes | Yes |
PasswordAgeDays | Yes | Yes |
PasswordLength | Yes | Yes |
PasswordComplexity | Yes | Yes |
PasswordExpirationProtectionEnabled | No | Yes |
AdministratorAccountName | Yes | Yes |
ADPasswordEncryptionEnabled | No | Yes |
ADPasswordEncryptionPrincipal | No | Yes |
ADEncryptedPasswordHistorySize | No | Yes |
PostAuthenticationResetDelay | Yes | Yes |
PostAuthenticationActions | Yes | Yes |
ResetPassword | Yes | Yes |
ResetPasswordStatus | Yes | Yes |
SyncML examples
The following examples are provided to show the correct format and shouldn't be considered as a recommendation.
Azure-joined device backing password up to Microsoft Entra ID
This example shows how to configure an Azure-joined device to back up its password to Microsoft Entra ID:
<SyncMl xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdId>1</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdId>2</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>7</Data>
</Item>
</Add>
<Add>
<CmdId>3</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdId>4</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>32</Data>
</Item>
</Add>
<Add>
<CmdId>5</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>ContosoLocalLapsAdmin</Data>
</Item>
</Add>
<Add>
<CmdId>6</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>8</Data>
</Item>
</Add>
<Add>
<CmdId>7</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add><Final/></SyncBody>
</SyncMl>
Hybrid-joined device backing password up to Active Directory
This example shows how to configure a hybrid device to back up its password to Active Directory with password encryption enabled:
<SyncMl xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdId>1</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdId>2</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>20</Data>
</Item>
</Add>
<Add>
<CmdId>3</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdId>4</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>14</Data>
</Item>
</Add>
<Add>
<CmdId>5</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>ContosoLocalLapsAdmin</Data>
</Item>
</Add>
<Add>
<CmdId>6</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Add>
<Add>
<CmdId>7</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Add>
<Add>
<CmdId>8</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>[email protected]</Data>
</Item>
</Add>
<Add>
<CmdId>9</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>6</Data>
</Item>
</Add>
<Add>
<CmdId>10</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdId>11</CmdId>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>5</Data>
</Item>
</Add><Final/></SyncBody>
</SyncMl>