Microsoft Technical Takeoff: The latest and greatest in Windows LAPS

Jay Simmons, a software engineer on Microsoft’s Active Directory team, walks through what’s new in Windows LAPS—focused on the updates landing in Windows 11 24H2 and Windows Server 2025. He digs into automatic account management (create and manage a custom local admin account in-policy, keep it enabled or disabled by design, and even randomize the account name on each password rotation), expanded protections that prevent tampering with automatically managed accounts, and Sysprep cleanup so generalized images don’t carry leftover LAPS state. He also introduces passphrase support with new password complexity options and a configurable passphrase length, using curated word lists (including the EFF lists) to generate readable-but-strong secrets. Other improvements include a more readable monospace font for LAPS passwords in Active Directory Users and Computers, a new post-authentication action that terminates lingering processes that used LAPS credentials (including “runas” scenarios), updated flexibility for DSRM authorized decryptors beyond Domain Admins, a preview on-premises disaster recovery feature that can decrypt LAPS-encrypted passwords directly from AD database backups using recovery mode, and a preview Windows Admin Center extension for viewing and rotating LAPS passwords from WAC.

We produced this as a pre-recorded streamed session with the pacing, polish, and clarity you’d expect from a live broadcast—without asking the subject matter expert to also be the audio engineer, graphics operator, and streaming magician. We built the show flow, created the graphics package, coached the speaker for crisp delivery, captured the footage, and shaped it in post so every demo beat lands cleanly. Then we streamed it reliably to multiple social channels using our remote studio and streaming platform—turning complex technical content into a smooth, confidently on-air experience (and a replay-ready asset that keeps working after the stream ends).