Least Privilege (LAPS)
Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1
The Layer 1 default. Manages the built-in Administrator account on every device — backs up the password to Microsoft Entra ID, rotates every 7 days, and enforces a 21-character passphrase. Universally compatible across Windows 10 and Windows 11 (no 24H2+ dependency). Server-safe; assign to both workstation and server device groups, excluding domain controllers (which manage their own admin accounts via AD).
| Name | Value |
| Basics | |
| Name | Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1 |
| Description | OIB Layer 1 default. Manages the built-in Administrator account. Universally compatible (pre-24H2 and 24H2+). |
| Profile type | Settings catalog |
| Category | Account protection |
| Policy type | Local admin password solution (Windows LAPS) |
| Platform supported | Windows 10 and later |
| Created | 09 August 2023 15:01:36 |
| Last modified | 05 December 2024 19:37:03 |
| Scope tags | Default |
Table 27. Basics - Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1
| Name | Value |
| Backup Directory | Backup the password to Microsoft Entra ID only |
| Password Age Days | 7 |
| Password Complexity | Passphrase (short words with unique prefixes) |
| Password Length | 21 |
| Post Authentication Actions | Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. |
| Post Authentication Reset Delay | 1 |
Table 28. Settings - Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1
Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6
This is the (24H2+) variant that uses Automatic Account Management to create and manage a custom local administrator account on each device, replacing the built-in Administrator (which the matched (24H2+) LSP variant disables). Deploying this LAPS variant without the matching LSP variant works but adds a redundant custom account; deploying that LSP variant without this LAPS variant leaves devices with no local admin account at all. See the matched-pair note in Chapter 12 → Layered Deployment Strategy.
| Name | Value |
| Basics | |
| Name | Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6 |
| Description | NOTE: For 24H2+ devices only. |
| Profile type | Settings catalog |
| Category | Account protection |
| Policy type | Local admin password solution (Windows LAPS) |
| Platform supported | Windows 10 and later |
| Created | 09 August 2023 16:01:36 |
| Last modified | 12 May 2025 14:28:22 |
| Scope tags | Default |
Table 27a. Basics - Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6
| Name | Value |
| Backup Directory | Backup the password to Microsoft Entra ID only |
| Password Age Days | 7 |
| Password Complexity | Passphrase (short words with unique prefixes) |
| Passphrase Length | 4 |
| Password Length | 21 |
| Post Authentication Actions | Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. |
| Post Authentication Reset Delay | 1 |
| Automatic Account Management Enabled | The target account will be automatically managed |
| Automatic Account Management Name Or Prefix | Not configured |
| Automatic Account Management Target | Manage a new custom administrator account |
| Automatic Account Management Enable Account | The target account will be enabled |
| Automatic Account Management Randomize Name | The name of the target account will not use a random numeric suffix. |
Table 28a. Settings - Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.