LAPS

Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the Get-LapsAADPassword cmdlet. Kudos to Niklas Tinner as he brought this to my attention while working together. Where is this command originating from? # The Get-LapsAADPassword cmdlet is part of the LAPS PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates. The module is maintained as part of the Operating System and builds the Interface to interact with Windows LAPS locally on a device. The module binaries reside within C:\Windows\system32\WindowsPowerShell\v1.0\Modules\LAPS and consist of DLLs and PowerShell files: Let’s retrieve some passwords # Before we can start retrieving passwords we need to make sure, that we have the appropriate Microsoft Graph PowerShell SDK module present. We can easily check this with the following PowerShell command: Get-Module -Name Microsoft.Graph -ListAvailable If you do not retrieve any output, you need to install the module with local Administrator privileges with:

Loooooong awaited and it’s finally here - the new Windows LAPS. With the previous announcement(s) of the integration into the native Windows operating system and support for Azure AD join this was a long-awaited feature. With the recent patch Tuesday the binaries were backed and delivered natively into the current Windows client and Server OS and today they also launched the Azure AD backend that can serve as the backup source for passwords. Within this post, I want to give you a quick impression of what the deployment experience currently looks like and where I needed some adjustments to get the expected result. Setup # Prerequisites # To deploy LAPS with Azure AD password backup and Intune you need licenses/access to those tools and Windows 10/11 devices with the latest April patches installed. A full list of prerequisites is provided by Microsoft here. Azure AD enablement # Unlike the on-premises AD LAPS enablement we do not need any schema extensions and can simply enable the following toggle within our Azure AD device settings: