https://nicolasuter.ch/tags/windows/Recent content in Windows on Nicola SuterHugo -- gohugo.ioen-US© 2026 Nicola SuterWed, 10 May 2023 00:00:00 +0000https://nicolasuter.ch/retrieving-windows-laps-azure-ad-passwords-with-powershell/Wed, 10 May 2023 00:00:00 +0000https://nicolasuter.ch/retrieving-windows-laps-azure-ad-passwords-with-powershell/<p>Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the <code>Get-LapsAADPassword</code> cmdlet.</p> <p>Kudos to <a href="https://medium.com/u/b214ce59ec84" target="_blank" rel="noreferrer">Niklas Tinner</a> as he brought this to my attention while working together.</p> <h2 class="relative group">Where is this command originating from? <div id="where-is-this-command-originating-from" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#where-is-this-command-originating-from" aria-label="Anchor">#</a> </span> </h2> <p>The <code>Get-LapsAADPassword</code> cmdlet is part of the <code>LAPS</code> PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates.</p> <p>The module is maintained as part of the Operating System and builds the Interface to interact with Windows LAPS locally on a device. The module binaries reside within <code>C:\Windows\system32\WindowsPowerShell\v1.0\Modules\LAPS</code> and consist of DLLs and PowerShell files:</p> <figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="" src="static/content/images/1__qcPzW4MPs441N6xsGkF2sA.png" ></figure> <h3 class="relative group">Let’s retrieve some passwords <div id="lets-retrieve-some-passwords" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#lets-retrieve-some-passwords" aria-label="Anchor">#</a> </span> </h3> <p>Before we can start retrieving passwords we need to make sure, that we have the appropriate <a href="https://github.com/microsoftgraph/msgraph-sdk-powershell" target="_blank" rel="noreferrer">Microsoft Graph PowerShell SDK</a> module present.</p> <p>We can easily check this with the following PowerShell command:</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="nb">Get-Module</span> <span class="n">-Name</span> <span class="n">Microsoft</span><span class="p">.</span><span class="py">Graph</span> <span class="n">-ListAvailable</span></span></span></code></pre></div></div> <p>If you do not retrieve any output, you need to install the module with local Administrator privileges with:</p>https://nicolasuter.ch/meeting-windows-laps/Fri, 21 Apr 2023 18:56:24 +0000https://nicolasuter.ch/meeting-windows-laps/<p>Loooooong awaited and it&rsquo;s finally here - the new Windows LAPS. With the previous announcement(s) of the integration into the native Windows operating system and support for Azure AD join this was a long-awaited feature. With the recent patch Tuesday the binaries were backed and delivered natively into the current Windows client and Server OS and today they also launched the Azure AD backend that can serve as the backup source for passwords. Within this post, I want to give you a quick impression of what the deployment experience currently looks like and where I needed some adjustments to get the expected result.</p> <h2 class="relative group">Setup <div id="setup" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#setup" aria-label="Anchor">#</a> </span> </h2> <h3 class="relative group">Prerequisites <div id="prerequisites" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#prerequisites" aria-label="Anchor">#</a> </span> </h3> <p>To deploy LAPS with Azure AD password backup and Intune you need licenses/access to those tools and Windows 10/11 devices with the latest April patches installed. A full list of prerequisites is provided <a href="https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status" target="_blank" rel="noreferrer">by Microsoft here</a>.</p> <h3 class="relative group">Azure AD enablement <div id="azure-ad-enablement" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#azure-ad-enablement" aria-label="Anchor">#</a> </span> </h3> <p>Unlike the on-premises AD LAPS enablement we do not need any schema extensions and can simply enable the following toggle within our Azure AD device settings:</p>