From b240087b96977e62a3a9a753b7ce74ad642ad6b3 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 17 Feb 2023 18:20:04 -0500
Subject: [PATCH] LAPS CSP
---
windows/client-management/mdm/laps-csp.md | 1220 +++++++++++------
.../client-management/mdm/laps-ddf-file.md | 1124 ++++++++-------
windows/client-management/mdm/toc.yml | 4 +-
3 files changed, 1337 insertions(+), 1011 deletions(-)
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index f5c69b2fcd..acc2c04bb2 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -1,512 +1,839 @@
---
-title: Local Administrator Password Solution CSP
-description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
-ms.author: jsimmons
-author: jay98014
-ms.reviewer: vinpa
+title: LAPS CSP
+description: Learn more about the LAPS CSP.
+author: vinaypamnani-msft
manager: aaroncz
-ms.topic: reference
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-ms.localizationpriority: medium
-ms.date: 09/20/2022
+ms.topic: reference
---
-# Local Administrator Password Solution CSP
+
-The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
+
+# LAPS CSP
> [!IMPORTANT]
+> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
+
+
+
+The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
+
+> [!NOTE]
> Windows LAPS currently is available only in [Windows 11 Insider Preview Build 25145 and later](/windows-insider/flight-hub/#active-development-builds-of-windows-11). Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario.
> [!TIP]
> This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
+
-The following example shows the LAPS CSP in tree format.
+
+The following example shows the LAPS configuration service provider in tree format.
-```xml
-./Device/Vendor/MSFT
-LAPS
-----Policies
---------BackupDirectory
---------PasswordAgeDays
---------PasswordLength
---------PasswordComplexity
---------PasswordExpirationProtectionEnabled
---------AdministratorAccountName
---------ADPasswordEncryptionEnabled
---------ADPasswordEncryptionPrincipal
---------ADEncryptedPasswordHistorySize
---------PostAuthenticationResetDelay
---------PostAuthenticationActions
-----Actions
---------ResetPassword
---------ResetPasswordStatus
+```text
+./Device/Vendor/MSFT/LAPS
+--- Actions
+------ ResetPassword
+------ ResetPasswordStatus
+--- Policies
+------ ADEncryptedPasswordHistorySize
+------ AdministratorAccountName
+------ ADPasswordEncryptionEnabled
+------ ADPasswordEncryptionPrincipal
+------ BackupDirectory
+------ PasswordAgeDays
+------ PasswordComplexity
+------ PasswordExpirationProtectionEnabled
+------ PasswordLength
+------ PostAuthenticationActions
+------ PostAuthenticationResetDelay
```
-
-The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
-
-|Setting name|Azure-joined|Hybrid-joined|
-|---|---|---|
-|BackupDirectory|Yes|Yes
-|PasswordAgeDays|Yes|Yes
-|PasswordLength|Yes|Yes|
-|PasswordComplexity|Yes|Yes|
-|PasswordExpirationProtectionEnabled|No|Yes|
-|AdministratorAccountName|Yes|Yes|
-|ADPasswordEncryptionEnabled|No|Yes|
-|ADPasswordEncryptionPrincipal|No|Yes|
-|ADEncryptedPasswordHistorySize|No|Yes|
-|PostAuthenticationResetDelay|Yes|Yes|
-|PostAuthenticationActions|Yes|Yes|
-|ResetPassword|Yes|Yes|
-|ResetPasswordStatus|Yes|Yes|
-
-> [!IMPORTANT]
-> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
-
-## ./Device/Vendor/MSFT/LAPS
-
-Defines the root node for the LAPS CSP.
-
-
-### Policies
-
-Defines the interior parent node for all configuration-related settings in the LAPS CSP.
-
-
-
-### BackupDirectory
-
-Allows the administrator to configure which directory the local administrator account password is backed up to.
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-Data type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
-The allowable settings are:
-
-|Value|Description of setting|
-|--- |--- |
-|0|Disabled (password won't be backed up)|
-|1|Back up the password to Azure AD only|
-|2|Back up the password to Active Directory only|
-
-If not specified, this setting will default to 0 (disabled).
-
-
-
-
-### PasswordAgeDays
-
-Use this policy to configure the maximum password age of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-If not specified, this setting will default to 30 days
-
-This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD.
-
-This setting has a maximum allowed value of 365 days.
-
-
-Data type is integer.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### PasswordComplexity
-
-Use this setting to configure password complexity of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-The allowable settings are:
-
-|Value|Description of setting|
-|--- |--- |
-|1|Large letters|
-|2|Large letters + small letters|
-|3|Large letters + small letters + numbers|
-|4|Large letters + small letters + numbers + special characters|
-
-
-If not specified, this setting will default to 4.
-
-> [!IMPORTANT]
-> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
-
-
-Data type is integer.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### PasswordLength
-
-Use this setting to configure the length of the password of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-If not specified, this setting will default to 14 characters.
-
-This setting has a minimum allowed value of 8 characters.
-
-This setting has a maximum allowed value of 64 characters.
-
-
-Data type is integer.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### AdministratorAccountName
-
-Use this setting to configure the name of the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
-
-If specified, the specified account's password will be managed.
-
-> [!IMPORTANT]
-> If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created.
-
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### PasswordExpirationProtectionEnabled
-
-Use this setting to configure enforcement of maximum password age for the managed local administrator account.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy.
-
-If not specified, this setting defaults to True.
-
-> [!IMPORTANT]
-> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
-
-
-Data type is boolean.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### ADPasswordEncryptionEnabled
-
-Use this setting to configure whether the password is encrypted before being stored in Active Directory.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-This setting is ignored if the password is currently being stored in Azure.
-
-If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory.
-
-If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory.
-
-If not specified, this setting defaults to False.
-> [!IMPORTANT]
-> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
-
-
-Data type is boolean.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### ADPasswordEncryptionPrincipal
-
-Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
-This setting is ignored if the password is currently being stored in Azure.
-
-If not specified, the password can only be decrypted by the Domain Admins group in the device's domain.
-
-If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
-
-If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain.
-> [!IMPORTANT]
-> The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
->
-> "S-1-5-21-2127521184-1604012920-1887927527-35197"
->
-> "contoso\LAPSAdmins"
->
-> "lapsadmins@contoso.com"
->
-> The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
-
-> [!IMPORTANT]
-> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
-
-
-Data type is string.
-
-Supported operations are Add, Get, Replace, and Delete.
-
-
-
-### ADEncryptedPasswordHistorySize
-
+
+
+
+## Actions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Actions
+```
+
+
+
+
+
+
+
+
+Defines the parent interior node for all action-related settings in the LAPS CSP.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Actions/ResetPassword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Actions/ResetPassword
+```
+
+
+
+
+Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
+
+
+
+
+This action invokes an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+### Actions/ResetPasswordStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Actions/ResetPasswordStatus
+```
+
+
+
+
+Use this setting to query the status of the last submitted ResetPassword execute action.
+
+
+
+
+The value returned is an HRESULT code:
+
+- S_OK (0x0): The last submitted ResetPassword action succeeded.
+- E_PENDING (0x8000000): The last submitted ResetPassword action is still executing.
+- Other: The last submitted ResetPassword action encountered the returned error.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## Policies
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies
+```
+
+
+
+
+Root node for LAPS policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Atomic Required | True |
+
+
+
+
+
+
+
+
+
+### Policies/ADEncryptedPasswordHistorySize
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize
+```
+
+
+
+
Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
-
-
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
+
+
+
> [!IMPORTANT]
> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
-
+
-Data type is integer.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-12]` |
+| Default Value | 0 |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
Dependency Allowed Value: ``
Dependency Allowed Value Type: `ENUM`
|
+
-
-### PostAuthenticationResetDelay
-
-Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below).
-
+
+
+
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+
-
-If not specified, this setting will default to 24 hours.
+
+### Policies/AdministratorAccountName
-This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
-This setting has a maximum allowed value of 24 hours.
-
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName
+```
+
-Data type is integer.
+
+
+Use this setting to configure the name of the managed local administrator account.
-Supported operations are Add, Get, Replace, and Delete.
-
+If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
-
-### PostAuthenticationActions
-
-Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above).
-
+If specified, the specified account's password will be managed.
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+**Note** if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.
+
-
-This setting can have ONE of the following values:
+
+
+
-|Value|Name|Action(s) taken upon expiry of the grace period|
-|--- |--- |--- |
-|1|Reset password|The managed account password will be reset|
-|3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated|
-|5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.|
+
+**Description framework properties**:
-If not specified, this setting will default to 3.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+### Policies/ADPasswordEncryptionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled
+```
+
+
+
+
+Use this setting to configure whether the password is encrypted before being stored in Active Directory.
+
+This setting is ignored if the password is currently being stored in Azure.
+
+This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
+
+- If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
+
+- If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
+
+If not specified, this setting defaults to True.
+
+
+
+
+> [!IMPORTANT]
+> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
Dependency Allowed Value: ``
Dependency Allowed Value Type: `ENUM`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Store the password in clear-text form in Active Directory. |
+| true (Default) | Store the password in encrypted form in Active Directory. |
+
+
+
+
+
+
+
+
+
+### Policies/ADPasswordEncryptionPrincipal
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal
+```
+
+
+
+
+Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
+
+This setting is ignored if the password is currently being stored in Azure.
+
+If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
+
+If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
+
+If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.
+
+
+
+
+> [!IMPORTANT]
+> This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met. The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
+>
+> - `S-1-5-21-2127521184-1604012920-1887927527-35197`
+> - `contoso\LAPSAdmins`
+> - `lapsadmins@contoso.com`
+>
+> The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
Dependency Allowed Value: ``
Dependency Allowed Value Type: `ENUM`
|
+
+
+
+
+
+
+
+
+
+### Policies/BackupDirectory
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory
+```
+
+
+
+
+Use this setting to configure which directory the local admin account password is backed up to.
+
+The allowable settings are:
+
+0=Disabled (password will not be backed up)
+1=Backup the password to Azure AD only
+2=Backup the password to Active Directory only
+
+If not specified, this setting will default to 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled (password will not be backed up). |
+| 1 | Backup the password to Azure AD only. |
+| 2 | Backup the password to Active Directory only. |
+
+
+
+
+
+
+
+
+
+### Policies/PasswordAgeDays
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays
+```
+
+
+
+
+Use this policy to configure the maximum password age of the managed local administrator account.
+
+If not specified, this setting will default to 30 days
+
+This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD.
+
+This setting has a maximum allowed value of 365 days.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-365]` |
+| Default Value | 30 |
+| Dependency [BackupDirectoryAADMode BackupDirectoryADMode] | Dependency Type: `DependsOn DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory Vendor/MSFT/LAPS/Policies/BackupDirectory`
Dependency Allowed Value: ` `
Dependency Allowed Value Type: `ENUM ENUM`
|
+
+
+
+
+
+
+
+
+
+### Policies/PasswordComplexity
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity
+```
+
+
+
+
+Use this setting to configure password complexity of the managed local administrator account.
+
+The allowable settings are:
+
+1=Large letters
+2=Large letters + small letters
+3=Large letters + small letters + numbers
+4=Large letters + small letters + numbers + special characters
+
+If not specified, this setting will default to 4.
+
+
+
+
+> [!IMPORTANT]
+> Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 4 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Large letters. |
+| 2 | Large letters + small letters. |
+| 3 | Large letters + small letters + numbers. |
+| 4 (Default) | Large letters + small letters + numbers + special characters. |
+
+
+
+
+
+
+
+
+
+### Policies/PasswordExpirationProtectionEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled
+```
+
+
+
+
+Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
+
+When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
+
+If not specified, this setting defaults to True.
+
+
+
+
+> [!IMPORTANT]
+> This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | True |
+| Dependency [BackupDirectory] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/LAPS/Policies/BackupDirectory`
Dependency Allowed Value: ``
Dependency Allowed Value Type: `ENUM`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | Allow configured password expiriration timestamp to exceed maximum password age. |
+| true (Default) | Do not allow configured password expiriration timestamp to exceed maximum password age. |
+
+
+
+
+
+
+
+
+
+### Policies/PasswordLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PasswordLength
+```
+
+
+
+
+Use this setting to configure the length of the password of the managed local administrator account.
+
+If not specified, this setting will default to 14 characters.
+
+This setting has a minimum allowed value of 8 characters.
+
+This setting has a maximum allowed value of 64 characters.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[8-64]` |
+| Default Value | 14 |
+
+
+
+
+
+
+
+
+
+### Policies/PostAuthenticationActions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions
+```
+
+
+
+
+Use this setting to specify the actions to take upon expiration of the configured grace period.
+
+If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
+
+
+
+
> [!IMPORTANT]
> The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.
> [!IMPORTANT]
> From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.
-
+
-Data type is integer.
+
+**Description framework properties**:
-Supported operations are Add, Get, Replace, and Delete.
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 3 |
+
-
-## Actions
+
+**Allowed values**:
-Defines the parent interior node for all action-related settings in the LAPS CSP.
-
+| Value | Description |
+|:--|:--|
+| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
+| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
+
-
-### ResetPassword
-
-Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
-
+
+
+
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+
-
+
+### Policies/PostAuthenticationResetDelay
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
-Data type is integer.
+
+```Device
+./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay
+```
+
-Supported operations are Execute.
-
+
+
+Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
-
-### ResetPasswordStatus
-
-Use this setting to query the status of the last submitted ResetPassword action.
-
+If not specified, this setting will default to 24 hours.
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|Yes|
-|Pro|No|Yes|
-|Business|No|Yes|
-|Enterprise|No|Yes|
-|Education|No|Yes|
-
+This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
-
-The value returned is an HRESULT code.
+This setting has a maximum allowed value of 24 hours.
+
-S_OK (0x0) - the last submitted ResetPassword action succeeded.
+
+
+
-E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing.
+
+**Description framework properties**:
-other - the last submitted ResetPassword action encountered the returned error.
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-24]` |
+| Default Value | 24 |
+
-Data type is integer.
+
+
+
-Supported operations are Get.
-
+
-### SyncML examples
+
+
+# Settings Applicability
-The following examples are provided to show proper format and shouldn't be taken as a recommendation.
+The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
-#### Azure-joined device backing password up to Azure AD
+| Setting name | Azure-joined | Hybrid-joined |
+|-------------------------------------|--------------|---------------|
+| BackupDirectory | Yes | Yes |
+| PasswordAgeDays | Yes | Yes |
+| PasswordLength | Yes | Yes |
+| PasswordComplexity | Yes | Yes |
+| PasswordExpirationProtectionEnabled | No | Yes |
+| AdministratorAccountName | Yes | Yes |
+| ADPasswordEncryptionEnabled | No | Yes |
+| ADPasswordEncryptionPrincipal | No | Yes |
+| ADEncryptedPasswordHistorySize | No | Yes |
+| PostAuthenticationResetDelay | Yes | Yes |
+| PostAuthenticationActions | Yes | Yes |
+| ResetPassword | Yes | Yes |
+| ResetPasswordStatus | Yes | Yes |
-This example is configuring an Azure-joined device to back up its password to Azure Active Directory:
+## SyncML examples
+
+The following examples are provided to show the correct format and shouldn't be considered as a recommendation.
+
+### Azure-joined device backing password up to Azure AD
+
+This example shows how to configure an Azure-joined device to back up its password to Azure Active Directory:
```xml
@@ -605,9 +932,9 @@ This example is configuring an Azure-joined device to back up its password to Az
```
-#### Hybrid-joined device backing password up to Active Directory
+### Hybrid-joined device backing password up to Active Directory
-This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled:
+This example shows how to configure a hybrid device to back up its password to Active Directory with password encryption enabled:
```xml
@@ -757,9 +1084,10 @@ This example is configuring a hybrid device to back up its password to Active Di
<Final/>
```
+
+
+
## Related articles
-[Configuration service provider reference](index.yml)
-
-[Windows LAPS](/windows-server/identity/laps/laps)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index b5ba239a7a..35784361d4 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -1,101 +1,88 @@
---
title: LAPS DDF file
-description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
-ms.author: jsimmons
-ms.topic: article
+description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: jsimmons
-ms.localizationpriority: medium
-ms.date: 07/04/2022
-ms.reviewer: jsimmons
-manager: jsimmons
+ms.topic: reference
---
-# Local Administrator Password Solution DDF file
+
-This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider.
+# LAPS DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the LAPS configuration service provider.
```xml
-
-
-
-
- 1.2
- "%windir%\system32\LapsCSP.dll
-
- {298a6f17-03e7-4bd4-971c-544f359527b7}
+
+]>
+
+ 1.2
+
+
+
+ LAPS
+ ./Device/Vendor/MSFT
+
+
+
+
+ The root node for the LAPS configuration service provider.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ Policies
+
+
+
+
+ Root node for LAPS policies.
+
+
+
+
+
+
+
+
+
+ Policies
+
+
+
+
+
- LAPS
- ./Device/Vendor/MSFT
+ BackupDirectory
+
+
+
- The root node for the LAPS configuration service provider.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 99.9.99999
- 1.0
-
-
-
-
-
-
- Policies
-
-
-
-
- Root node for LAPS policies.
-
-
-
-
-
-
-
-
-
- Policies
-
-
-
-
-
-
- BackupDirectory
-
-
-
-
-
-
-
- 0
- Use this setting to configure which directory the local admin account password is backed up to.
+ 0
+ Use this setting to configure which directory the local admin account password is backed up to.
The allowable settings are:
@@ -104,95 +91,109 @@ The allowable settings are:
2=Backup the password to Active Directory only
If not specified, this setting will default to 0.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- 0
- Disabled (password will not be backed up)
-
-
- 1
- Backup the password to Azure AD only
-
-
- 2
- Backup the password to Active Directory only
-
-
-
-
-
- PasswordAgeDays
-
-
-
-
-
-
-
- 30
- Use this policy to configure the maximum password age of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Disabled (password will not be backed up)
+
+
+ 1
+ Backup the password to Azure AD only
+
+
+ 2
+ Backup the password to Active Directory only
+
+
+
+
+
+ PasswordAgeDays
+
+
+
+
+
+
+
+ 30
+ Use this policy to configure the maximum password age of the managed local administrator account.
If not specified, this setting will default to 30 days
This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
This setting has a maximum allowed value of 365 days.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [1-365]
-
-
-
-
- [7-365]
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 1
- BackupDirectory configured to Azure AD
-
-
-
-
-
-
-
-
- PasswordComplexity
-
-
-
-
-
-
-
- 4
- Use this setting to configure password complexity of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-365]
+
+
+
+
+ [7-365]
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 1
+ BackupDirectory configured to Azure AD
+
+
+
+
+
+
+ [1-365]
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ PasswordComplexity
+
+
+
+
+
+
+
+ 4
+ Use this setting to configure password complexity of the managed local administrator account.
The allowable settings are:
@@ -202,165 +203,165 @@ The allowable settings are:
4=Large letters + small letters + numbers + special characters
If not specified, this setting will default to 4.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- 1
- Large letters
-
-
- 2
- Large letters + small letters
-
-
- 3
- Large letters + small letters + numbers
-
-
- 4
- Large letters + small letters + numbers + special characters
-
-
-
-
-
- PasswordLength
-
-
-
-
-
-
-
- 14
- Use this setting to configure the length of the password of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Large letters
+
+
+ 2
+ Large letters + small letters
+
+
+ 3
+ Large letters + small letters + numbers
+
+
+ 4
+ Large letters + small letters + numbers + special characters
+
+
+
+
+
+ PasswordLength
+
+
+
+
+
+
+
+ 14
+ Use this setting to configure the length of the password of the managed local administrator account.
If not specified, this setting will default to 14 characters.
This setting has a minimum allowed value of 8 characters.
This setting has a maximum allowed value of 64 characters.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [8-64]
-
-
-
-
- AdministratorAccountName
-
-
-
-
-
-
-
- Use this setting to configure the name of the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [8-64]
+
+
+
+
+ AdministratorAccountName
+
+
+
+
+
+
+
+ Use this setting to configure the name of the managed local administrator account.
If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
If specified, the specified account's password will be managed.
Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PasswordExpirationProtectionEnabled
-
-
-
-
-
-
-
- True
- Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PasswordExpirationProtectionEnabled
+
+
+
+
+
+
+
+ True
+ Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
If not specified, this setting defaults to True.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- false
- Allow configured password expiriration timestamp to exceed maximum password age
-
-
- true
- Do not allow configured password expiriration timestamp to exceed maximum password age
-
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- ADPasswordEncryptionEnabled
-
-
-
-
-
-
-
- False
- Use this setting to configure whether the password is encrypted before being stored in Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Allow configured password expiriration timestamp to exceed maximum password age
+
+
+ true
+ Do not allow configured password expiriration timestamp to exceed maximum password age
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADPasswordEncryptionEnabled
+
+
+
+
+
+
+
+ True
+ Use this setting to configure whether the password is encrypted before being stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
@@ -370,54 +371,54 @@ If this setting is enabled, and the Active Directory domain meets the DFL prereq
If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
-If not specified, this setting defaults to False.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- false
- Store the password in clear-text form in Active Directory
-
-
- true
- Store the password in encrypted form in Active Directory
-
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- ADPasswordEncryptionPrincipal
-
-
-
-
-
-
-
- Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
+If not specified, this setting defaults to True.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ Store the password in clear-text form in Active Directory
+
+
+ true
+ Store the password in encrypted form in Active Directory
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADPasswordEncryptionPrincipal
+
+
+
+
+
+
+
+ Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
@@ -426,229 +427,226 @@ If not specified, the password will be decryptable by the Domain Admins group in
If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- ADEncryptedPasswordHistorySize
-
-
-
-
-
-
-
- 0
- Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ ADEncryptedPasswordHistorySize
+
+
+
+
+
+
+
+ 0
+ Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
If not specified, this setting will default to 0 passwords (disabled).
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [0-12]
-
-
-
-
- Vendor/MSFT/LAPS/Policies/BackupDirectory
-
-
- 2
- BackupDirectory configured to Active Directory
-
-
-
-
-
-
-
-
- PostAuthenticationResetDelay
-
-
-
-
-
-
-
- 24
- Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-12]
+
+
+
+
+ Vendor/MSFT/LAPS/Policies/BackupDirectory
+
+
+ 2
+ BackupDirectory configured to Active Directory
+
+
+
+
+
+
+
+
+ PostAuthenticationResetDelay
+
+
+
+
+
+
+
+ 24
+ Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
If not specified, this setting will default to 24 hours.
This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
This setting has a maximum allowed value of 24 hours.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- [0-24]
-
-
-
-
- PostAuthenticationActions
-
-
-
-
-
-
-
- 3
- Use this setting to specify the actions to take upon expiration of the configured grace period.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-24]
+
+
+
+
+ PostAuthenticationActions
+
+
+
+
+
+
+
+ 3
+ Use this setting to specify the actions to take upon expiration of the configured grace period.
If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- 1
- Reset password: upon expiry of the grace period, the managed account password will be reset.
-
-
- 3
- Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
-
-
- 5
- Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.
-
-
-
-
-
-
- Actions
-
-
-
-
-
-
-
-
-
-
-
-
-
- Actions
-
-
-
-
-
- ResetPassword
-
-
-
-
- Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- ResetPasswordStatus
-
-
-
-
- 0
- Use this setting to query the status of the last submitted ResetPassword execute action.
-
-
-
-
-
-
-
-
-
- ResetPasswordStatus
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Reset password: upon expiry of the grace period, the managed account password will be reset.
+
+
+ 3
+ Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
+
+
+ 5
+ Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.
+
+
+
-
-
-
+
+
+ Actions
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Actions
+
+
+
+
+
+ ResetPassword
+
+
+
+
+ Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResetPasswordStatus
+
+
+
+
+ 0
+ Use this setting to query the status of the last submitted ResetPassword execute action.
+
+
+
+
+
+
+
+
+
+ ResetPasswordStatus
+
+
+
+
+
+
+
+
```
## Related articles
-[LAPS configuration service provider](laps-csp.md)
+[LAPS configuration service provider reference](laps-csp.md)
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 253e70a1bf..dafc80cf73 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -767,10 +767,10 @@ items:
items:
- name: LanguagePackManagement DDF file
href: language-pack-management-ddf-file.md
- - name: Local Administrator Password Solution
+ - name: LAPS
href: laps-csp.md
items:
- - name: Local Administrator Password Solution DDF
+ - name: LAPS DDF file
href: laps-ddf-file.md
- name: MultiSIM
href: multisim-csp.md