The following items were introduced with 24H2 Operating Systems (Windows 11 24H2 and Windows Server 2025). They are not available on earlier Operating Systems.
New Password Complexity Options
There are four new password complexity options:
|
Option |
Description |
|---|---|
|
Large letters + small letters + numbers + specials (improved readability) |
Certain characters (which can be hard to differentiate) are not used in passwords generated by Windows LAPS: |
|
Passphrase (long words) |
Each word starts with a capital letter. There is no space or separating character between words. Words are taken from the Electronic Frontier Foundation’s New Wordlists for Random Passphrases. The length of a passphrase generated by Windows LAPS can be controlled by the Password Length (words) parameter of Password Settings. |
|
Passphrase (short words with unique prefixes) |
|
|
Passphrase (short words) |
A new Password Settings parameter named Passphrase Length (words) is available to be used with passphrases.
It allows you to define how many words will be used in a passphrase generated by Windows LAPS.
The default value is 6. The minimum value allowed is 3. The maximum value allowed is 10.
New Post-Authentication Option
A new action is available for the Post-authentication actions setting named Reset the password, logoff the managed account, and terminate any remaining processes.
A problem with the previous option Reset the password and logoff the managed account is that it logs off an interactive session, but does nothing about processes that were with launched using Run As. The only way to ensure that all processes were stopped was with the Reset the password and reboot the device option, which is not ideal in some scenarios.
This new option will ensure that all processes running as the managed account are terminated, without a restart.
Automatic Account Management
A new setting is available named Configure automatic account management.
When not configured, this defaults to disabled.
When enabled, this takes precedence over the Name of administrator account to manage setting, and the following settings are available to configure:
|
Setting |
Description |
|---|---|
|
Specify the target account to manage |
Two options are available:
|
|
Automatic account name (or name prefix) |
The name of the account that Windows LAPS will manage the password for (or the prefix on the name of the account if Randomize the name of the managed account is checked.) When not specified, this defaults to WLapsAdmin (even when the targeted account is the Built-in Administrator). |
|
Enable the managed account (checkbox) |
If checked, the account will be enabled by LAPS. If unchecked, the account will be disabled by LAPS. |
|
Randomize the name of the managed account (checkbox) |
If checked, the Automatic account name (or name prefix) will be treated as a prefix; a suffix of eight random numbers will be added to it. The name will also be randomized every time the password is changed. If unchecked, the Automatic account name (or name prefix) will be treated as the account name. |
A1: In order to have Windows LAPS create the managed account if it does not exist, you must enable automatic account management.
In order to have Windows LAPS ensure the managed account is enabled, you must also select Enable the managed account.
A2: When automatic account management is enabled, if the Automatic account name (or name prefix) setting is not set, LAPS will use WLapsAdmin as the account name (or as the name prefix when Randomize the name of the managed account is selected).
When automatic account management is enabled, if you want to have the built-in Administrator account managed by LAPS, and keep it named Administrator, you must do both of the following: Set Specify the target account to manage to Manage the built-in admin account and set Automatic account name (or name prefix) to Administrator.
A3: The existing account will be renamed (prefixed with WLapsDefuncted followed by random numbers, for example: WLapsDefuncted294366) and disabled. If it was a member of the local Administrators group, it will remain a member.
Windows LAPS will create a new account to be the managed account.
A4: The custom account that was previously managed by LAPS will be deleted.
A5: If you have provided an Automatic account name or name prefix, that will be used as the prefix for the managed account name. If not, the prefix will be WLapsAdmin.
A random number will be appended to the prefix.
For example: WLapsAdmin338517
The account name is changed and randomized every time the password is changed.
A6: On computers running earlier (pre-24H2) operating systems, the default value for the setting will be used.
For example: If you set the Password Complexity to Passphrase (short words), any computer running an earlier (pre-24H2) Operating System will use the default value of Large letters + small letters + numbers + special characters.
A7: User accounts beginning with WLapsDefuncted were renamed by Windows LAPS when automatic account management is set to manage a custom account, and there is already an account of that name. The existing account is renamed prefixed by WLapsDefuncted and ending in random numbers. Windows LAPS will not manage an existing account of the same name if it already exists. It will manage a new account that it creates.
A8: This article is a supplement to the Windows LAPS Overview, and only highlights what is new with 24H2 Operating Systems (Windows 11 24H2 and Windows Server 2025). For a complete overview of Windows LAPS, refer to Windows Local Administrator Password Solution (LAPS) Overview.