The following items were introduced with 24H2 Operating Systems (Windows 11 24H2 and Windows Server 2025). They are not available on earlier Operating Systems.
This article is a supplement to the Windows LAPS Overview, and only highlights what is new with 24H2 Operating Systems (Windows 11 24H2 and Windows Server 2025). For a complete overview of Windows LAPS, refer to Windows Local Administrator Password Solution (LAPS) Overview. |
There are four new password complexity options:
Option | Description |
|---|---|
Large letters + small letters + numbers + specials (improved readability) | Certain characters (which can be hard to differentiate) are not used in passwords generated by Windows LAPS: |
Passphrase (long words) | Each word starts with a capital letter. There is no space or separating character between words. Words are taken from the Electronic Frontier Foundation’s New Wordlists for Random Passphrases. The length of a passphrase generated by Windows LAPS can be controlled by the Password Length (words) parameter of Password Settings. |
Passphrase (short words with unique prefixes) | |
Passphrase (short words) |
A new Password Settings parameter named Passphrase Length (words) is available to be used with passphrases.
It allows you to define how many words will be used in a passphrase generated by Windows LAPS.
The default value is 6. The minimum value allowed is 3. The maximum value allowed is 10.
A new action is available for the Post-authentication actions setting named Reset the password, logoff the managed account, and terminate any remaining processes.
A problem with the previous option Reset the password and logoff the managed account is that it logs off an interactive session, but does nothing about processes that were with launched using Run As. The only way to ensure that all processes were stopped was with the Reset the password and reboot the device option, which is not ideal in some scenarios.
This new option will ensure that all processes running as the managed account are terminated, without a restart.
A new setting is available named Configure automatic account management.
When not configured, this defaults to disabled.
When enabled, this takes precedence over the Name of administrator account to manage setting, and the following settings are available to configure:
Setting | Description |
|---|---|
Specify the target account to manage | Two options are available:
|
Automatic account name (or name prefix) | The name of the account that Windows LAPS will manage the password for (or the prefix on the name of the account if Randomize the name of the managed account is checked.) When not specified, this defaults to WLapsAdmin (even when the targeted account is the Built-in Administrator). |
Enable the managed account (checkbox) | If checked, the account will be enabled by LAPS. If unchecked, the account will be disabled by LAPS. |
Randomize the name of the managed account (checkbox) | If checked, the Automatic account name (or name prefix) will be treated as a prefix; a suffix of eight random numbers will be added to it. The name will also be randomized every time the password is changed. If unchecked, the Automatic account name (or name prefix) will be treated as the account name. |
Q1: Will Windows LAPS create the custom managed account if it does not exist? Will it enable it if it is not enabled? A1: In order to have Windows LAPS create the managed account if it does not exist, you must enable automatic account management. |
Q2: Why was the managed account named WLapsAdmin? A2: When automatic account management is enabled, if the Automatic account name (or name prefix) setting is not set, LAPS will use WLapsAdmin as the account name (or as the name prefix when Randomize the name of the managed account is selected). |
Q3: What happens if there is already an existing account with the same name as the LAPS managed account? A3: The existing account will be renamed (prefixed with WLapsDefuncted followed by random numbers, for example: WLapsDefuncted294366) and disabled. If it was a member of the local Administrators group, it will remain a member. |
Q4: What happens if I change the target account to be managed from a custom admin account to the built-in admin account? Will the previous custom account still be present? will it still be an administrator? A4: The custom account that was previously managed by LAPS will be deleted. |
Q5: When Randomize the name of the managed account is selected, what will the account name look like? A5: If you have provided an Automatic account name or name prefix, that will be used as the prefix for the managed account name. If not, the prefix will be WLapsAdmin. |
Q6: What happens if a setting is set to a new value that is only applicable in 24H2 Operating Systems? A6: On computers running earlier (pre-24H2) operating systems, the default value for the setting will be used. |
Q7: What are user accounts whose named begin with WLapsDefuncted? A7: User accounts beginning with WLapsDefuncted were renamed by Windows LAPS when automatic account management is set to manage a custom account, and there is already an account of that name. The existing account is renamed prefixed by WLapsDefuncted and ending in random numbers. Windows LAPS will not manage an existing account of the same name if it already exists. It will manage a new account that it creates. |
Q8: Is there a more comprehensive article on Windows LAPS? A8: This article is a supplement to the Windows LAPS Overview, and only highlights what is new with 24H2 Operating Systems (Windows 11 24H2 and Windows Server 2025). For a complete overview of Windows LAPS, refer to Windows Local Administrator Password Solution (LAPS) Overview. |