Not long ago, I walked through migrating from the Cloud LAPS solution by MSEndpointMGR to Microsoft’s built-in Windows LAPS via Intune. But Microsoft isn’t slowing down, and neither should you. The new 24H2 LAPS settings are a game-changer. In this post, I’ll explain what’s new and improved and how you can migrate from the initial duct tape remediation script to these powerful new features.
Table Of Contents
The New 24H2 Settings in Intune
In my previous blog post, I explored why creating a separate local administrator account is a best practice and how remediation scripts could automate this process at that time. With the release of Windows 11 24H2, Microsoft has introduced powerful new features built directly into the operating system to enhance the capabilities of the Local Administrator Password Solution (LAPS).
These new native options give IT administrators greater flexibility and control when managing local admin accounts. With Windows LAPS, you can now:
- Automatically create a managed local account – no more need for the remediation script!
- Configure a custom name for the account – there is less chance of guessing the LAPS account!
- Enable or disable the account as needed – no standing rights!
- Randomize the account name for improved security – it is even harder to guess the account name!
- Use passphrases instead of traditional passwords – it is easier to type the password!
- Define advanced post-authentication actions – more security once the LAPS account has been used!
Now that Windows 11 24H2 is officially available and Microsoft Intune service release 2403 (March 2025) adds support for configuring these new settings, it’s time to move from testing to full production deployment. These updates mark a significant step forward in secure and streamlined account management for enterprise environments.
Implementing The New 24H2 Settings In Production
The new settings are available in Windows 11 24H2, but some devices may still run older versions in production environments. Therefore, I must simultaneously apply and manage the old and new LAPS policies until all endpoints are fully migrated to Windows 11 24H2.
Device Assignment Filter for 24H2
I will use an Intune device assignment filter to target old and new configurations based on the Windows version. The filter rule syntax looks at the “device.osVersion” starting with “10.0.26”.
This filter can now be used with an exclude parameter on the old policies and an include parameter on the new policies.
Exclude 24H2 From Existing Policies
With devices before Windows 11 24H2, I used a remediation script from MVP Sandy Zeng to create the LAPS account on them. I will now filter all Windows 11 24H2 away from that remediation since one of the advantages of the new LAPS policy is that it fully handles the creation of the LAPS admin account. I don’t need or want the remediation script on Windows 11 24H2 devices.
If you are on Microsoft 365 Business Premium, remediation scripts are unavailable, and you might have used a platform script. These don’t support using the Intune filter, meaning you must create an exclusion group instead.
For the Laps policy itself, I will rename my existing policy to reflect that it handles all Windows devices before Windows 11 and also use the filter to exclude those devices.
The same tactics apply to my policy handling of the local administrator’s group on my devices. With the new LAPS policy, some new logic will also apply there, meaning I will filter away Windows 11 24H2 devices and rename the policy to reflect the targeting.
With these small changes from device assignment filters, the old LAPS policies and settings should only apply to Windows devices before Windows 11 24H2.
Create The New 24H2 LAPS Settings Policies
Now, I will create a new 24H2 LAPS settings policies. This will consist of a LAPS policy and a policy to handle the local user group membership for the Administrators group.
The 24H2 LAPS Policy
Initially, creating a new LAPS policy is straightforward, as shown by Intune – Endpoint Security – Account Protection – Create Policy.
The configuration of this policy can look like this for devices running Windows 11 24H2 and later:
The policy sends the LAPS account information to the device object in Microsoft Entra ID (even though it still says “Azure AD”#”), and I have configured it to refresh at the lowest interval every seven days.
For password complexity, I have set it up to use the new passphrase options. This gives better readability and usability compared to the old complex passwords where it could be hard to distinguish characters like I, l, 1, |, O, 0, etc.
The policy is also configured to automatically create a new LAPS account with a random numeric suffix of the configured prefix.
Lastly, the policy uses the new post-authentication action, which ensures any remaining processes are terminated in addition to the password reset and logoff actions known from earlier. This new option will terminate any elevated PowerShell or other sessions running under the LAPS account. Interactive sign-in sessions receive a nonconfigurable two-minute warning to save their work before signing out.
The 24H2 Local Administrators Group Membership Policy
I will continue using a local user group membership policy to manage the local administrators’ group membership on our devices. Previously, I manually created a local administrator account with a fixed name and included it in this policy. However, with the new LAPS policy, the local administrator account is created automatically with a randomized name. As a result, a separate policy is now required to manage local administrators’ group membership.
The only members I want in this group are the LAPS account and the Entra ID Device Administrator role. In a tired approach, I don’t like allowing my Global Admins to sign in to the devices with local admin privileges.
The LAPS account will be handled by Windows 11 24H2 logics automatically, leaving me to gather the ID for the Entra ID role. I will use Graph Explorer to find the ID for this role.
I navigate to aka.ms/ge and sign in before runnig the query “https://graph.microsoft.com/beta/directoryRoles“. Within the response preview, I search for “device local admin” and copy the ID.
Erik Engberg has a famous Azure AD Object ID to SID Converter I am using to get the Object ID needed for the Intune policy. Paste the ID from Grapah Explorer to convert it to an Entra ID SID.
This Object SID can now be added as the only administrator group member. Use the “Add (Replace)” action to ensure this is the only content allowed in the local Administrators group on your endpoints.
Windows 11 24H2 will ensure the new LAPS account with the randomized account name is added to the local Administrators group.
The New 24H2 LAPS Settings Results
The new policies have been created at this stage, and the old policies have been renamed. This gives the following overview.
One remediation script and two policies handle the devices before Windows 11 24H2, while the two new policies manage the Windows 11 24H2 devices.
As mentioned, a device filter in the Include/Exclude mode assigns the device policies. As for assignments, pay attention to the Microsoft documentation stating that LAPS policies should be assigned to device groups to help reduce potential conflicts.
Devices upgraded to Windows 11 24H2 will thus automatically get the new LAPS policy set to handle the LAPS account accordingly. In these instances, the old LAPS account will still exist on the device, but it will no longer be a member of the local Administrators group. Using a remediation script, these old LAPS accounts can be cleaned from the 24H2 devices. I have routines for this in my previous blog post on Windows LAPS.
With the new 24H2 LAPS settings, your devices will display the randomized LAPS account name suffix and the easier-to-read and use LAPS password.
Happy days!
Be First to Comment