Share via

What issues did you run into when migrating from legacy LAPS to Windows LAPS?

Scott Truffle 20 Reputation points
2026-05-02T03:24:08.58+00:00

We recently started moving from legacy LAPS to the newer Windows LAPS, and it hasn’t been as smooth as expected. Some machines don’t rotate passwords properly, and it feels like old policies or configs are still lingering in the background causing conflicts. It’s one of those situations where everything should work, but doesn’t consistently. If you’ve gone through this migration, what cleanup steps or fixes actually made things stable?

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

Answer accepted by question author

  1. Domic Vo 20,250 Reputation points Independent Advisor
    2026-05-02T04:24:18.96+00:00

    Hi Scott,

    The instability you’re seeing usually comes from remnants of legacy LAPS GPOs and schema objects conflicting with Windows LAPS policies. The first step is to confirm that the legacy LAPS client (AdmPwd.dll) is fully removed from affected machines, including any lingering scheduled tasks under Task Scheduler and registry entries under HKLM\Software\Policies\Microsoft Services\AdmPwd. On the AD side, check that only the Windows LAPS attributes (msLAPS-PasswordExpirationTime, msLAPS-EncryptedPassword) are in use and that legacy attributes like ms-Mcs-AdmPwd are no longer being referenced by any GPO. Also ensure you’ve updated the AD schema with the April 2023 update or later, since Windows LAPS depends on those extensions. In Group Policy, disable or delete old LAPS policies and replace them with the new Windows LAPS settings under Computer Configuration → Administrative Templates → System → LAPS. Once cleanup is complete, force a GPUpdate and verify password rotation events in the Event Viewer under Applications and Services Logs → Microsoft → Windows → LAPS. That combination usually stabilizes rotation and eliminates the inconsistent behavior.

    If the above response helps answer your question, please hit "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Domic V.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-05-02T03:24:22.3666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The most common stability issues during migration come from overlapping configurations between legacy Microsoft LAPS and Windows LAPS, and from not fully removing the legacy components once Windows LAPS is in place. The following cleanup and verification steps are what typically stabilize environments:

    1. Ensure side‑by‑side is configured correctly
    • When running both solutions during migration, both policies must target different local accounts. Having Windows LAPS and legacy LAPS manage the same local admin account isn’t supported and leads to inconsistent password rotation.
    • Long term, plan to move all devices to Windows LAPS and retire legacy LAPS.
    1. Verify Windows LAPS is actually taking over Use one or more of these checks on problem machines:
    • Check the Windows LAPS event log channel for successful password update events. This confirms the background policy processing cycle is running and passwords are being rotated.
    • If storing passwords in Active Directory:
      • Confirm the msLAPS-PasswordExpirationTime attribute is present and updating on the computer object.
      • Use the Get-LapsADPassword PowerShell cmdlet to verify that a current password and expiration time are stored.
    • If storing passwords in Microsoft Entra ID:
      • Verify in the Microsoft Entra ID or Intune portals that the device password is updating.
      • Use Get-LapsAADPassword to confirm password and expiration data.

    If these checks fail or show stale data, Windows LAPS policy isn’t being applied correctly, or something is blocking password updates.

    1. Cleanly remove legacy LAPS components Once Windows LAPS is confirmed working for the new target account, remove legacy LAPS from each device so it no longer interferes:
    • If legacy LAPS was installed via MSI:
      • Either uninstall it from Programs and Features, or run this silent uninstall command as administrator: 
            msiexec.exe /q /uninstall {97E2CA7B-B657-4FF7-A6DB-30ECC73E1E28}
    • If legacy LAPS was deployed by copying and registering AdmPwd.dll:
      • Unregister and delete the DLL (adjust the path if needed): 
            regsvr32.exe /s /u AdmPwd.dll
    delete C:\windows\system32\AdmPwd.dll
      • If the DLL location is unknown, read the DllName value under: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} and use that path in the commands.

    Removing these components prevents legacy LAPS CSE behavior from conflicting with Windows LAPS processing.

    1. Disable legacy emulation when needed Windows LAPS can run in “legacy Microsoft LAPS emulation mode” and honor legacy LAPS Group Policy settings. If that’s not desired and is causing confusion:
    • Create a REG_DWORD value named BackupDirectory under: HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config
    • Set it to 0.

    This prevents Windows LAPS from entering legacy emulation mode, even if the legacy CSE is still present, and avoids unintended enforcement of old policies.

    1. Force and observe policy processing When testing fixes on a device:
    • Trigger Windows LAPS processing explicitly (for example, by forcing Group Policy refresh or using the Windows LAPS policy processing cmdlet if available in the environment).
    • Immediately recheck:
      • Windows LAPS event logs for successful password rotation.
      • msLAPS-PasswordExpirationTime (AD) or the Entra/Intune view for updated password metadata.
    1. Monitor for a stable transition at scale After cleanup, use centralized monitoring to confirm stability:
    • Aggregate Windows LAPS event logs to verify regular successful password updates across devices.
    • Periodically sample devices with Get-LapsADPassword or Get-LapsAADPassword to ensure expiration times and password versions are advancing as expected.

    These steps address the usual “it should work but doesn’t consistently” symptoms by eliminating legacy CSE interference, disabling unwanted emulation, and confirming that Windows LAPS is the only active password management mechanism.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.