Skip to main content

How to deploy WebLAPS to secure Microsoft LAPS


Iams3le
Forum|alt.badge.img+11

WebLAPS is a web-based solution for managing Microsoft Local Administrator Password Solution (LAPS). Below are some articles that have been previously shared with the community on Windows LAPS.

Also, ​@Michael Melter discussed LAPS as mentioned in the article below, and I recommend you take a look at it for added knowledge which is not covered in this article.

 

WebLAPS could be used to implement just-in-time administration (JITA) approach recommended by MS when accounts of system administrators are added to privileged groups for defined period of time and automatically removed after. Please refer to the official documentation for more information. Also, here is how to configure Windows LAPS with Microsoft Intune as well.

 

This article targets users that are still using the legacy Microsoft LAPS and not the Windows LAPS. Microsoft recommends that customers begin planning on how to migrate their Windows LAPS-capable systems from using legacy Microsoft LAPS. Microsoft LAPS product is deprecated as of Windows 11 23H2 and later. Installation of the legacy Microsoft LAPS MSI package is blocked on newer OS versions, and Microsoft will no longer consider code changes for the legacy Microsoft LAPS product. Microsoft will continue to support the legacy Microsoft LAPS product on older versions of Windows (prior to Windows 11 23 H2) on which it was previously supported. That support will end upon the normal End of Support for those OSes.

 

If you are using Windows LAPS already, I have got good news for you. You no longer need a 3rd party solution. Starting from Windows Admin Center v2401, you should be able to manage LAPS effortlessly.

 

Steps to Install WebLAPS on Windows

Please navigate to the following URL to download the required JAVA version. I will be downlöoading the Windows version as shown below

Kindly accept the license agreement. You will be prompted to sign-in. Enter your username and password when prompted and download.

WebLAPS Community Edition Download

Do not install WebLAPS on a DC in order not to increase the attack surface. Therefore, I will recommend installing the WebLAPS Pro solution on a member server. Use the following  URL to download this application.

Note: WebLAPS agent is used to manage passwords of local users and control membership in local groups and can be used on joined or non-domain joined computers.

 

 

Since WebLAPS Pro follows a Java-based service model and requires Java Runtime Environment (JRE) 1.8 to function. We will be installing it as shown below.

Next, create a Local User for WebLAPS

Next, configure Log on as a service. This will allow user “laps” to work as a service:

Please expand “Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment”. Select “Log on as a service”.

Add the laps user created and click on OK.

Create the directory C:\laps as shown below.

Extract the WebLAPS distributive (installation package) into C:\laps

As you can see, the extraction was successful.

Modify the folder permissions. Search for “laps” and assign the “read & write” access. Please, deny access to all other users except administrators.

 

Verify or Create Environmental Variable. To do this, launch System Properties and click on “Environment Variable” under the Advanced Tab. As you can see below, we have the JAVA JRE Installation path.

Note: If the Java JRE is not added to the system environment variables (PATH). Running the following command in Command Prompt or PowerShell will result in an error

 

Verify the Java Path in Configuration

The official documentation specified this step as an optional step if you have the JRE Installation path in the environment variable. However, this was not the case for me as the service did not start.

If Java is not in the system PATH, WebLAPS might not find it and start correctly. To fix this, get the path. Change it to the full path to java.exe, using / instead of \ as discussed in the official guide.

 

WebLAPS Service

You must run this command with Administrative rights. Otherwise, it will fail with the following (Error in PenSCManager: 5″ Access Denied). To do this, open the Command Prompt (Admin) and navigate to the WebLAPS folder and run the installation script

If you run into issues, uninstall with the uninstallation script and restart your PC. Then, run the installation script. This should succeed

As you can see below, the script succeeded and the service is running.

 

We will need to create a service account (LAPSAdmin) to authenticate WebLAPS to read LAPS passwords from Active Directory. Next, we will grant LAPS Read Permission

 

Launch WebLAPS in Browser

Open the browser and navigate to the URL shown in the image below. This might be different in your case.

Note: Ignore the certificate warning, accept it (since WebLAPS uses a self-signed certificate by default)

 

To allow WebLAPS to manage LAPS passwords stored in Active Directory, we need to integrate WebLAPS with Active Directory (AD).

To do this, click on Administration, Communications and LDAP as shown below. Enter the AD server details accordingly and save the settings

Now WebLAPS should be fully functional. Try retrieving a LAPS password as shown below.

 

For other recommended settings for WebLAPS and detailed steps. Please take a look at this blogpost.


Retrieve Windows LAPS via WACmg


In the next guide, I will be showing the steps to securely manage Windows LAPS via Windows Admin Center Modern Gateway 2401.

You can use Windows LAPS to manage your passwords on your LAPS enabled machines within the domain. With this tool, you can reveal and copy passwords of a given machine. View the corresponding password expiration time and update time stamp.

Not only that, you can set the expiration time and reset passwords for multiple machines at a time, making password management and authentication more secure, simpler, and efficient.

 

IMG SRC: Microsoft

 

3 comments

Chris.Childerhose
Forum|alt.badge.img+21
  • Veeam Legend, Veeam Vanguard
  • 8402 comments
  • February 24, 2025

That seems like a lot of work but worth it in the end.  Thanks for sharing this interesting one.


Link State
Forum|alt.badge.img+11
  • Veeam Legend
  • 602 comments
  • February 25, 2025

nice guide ​Iams3le thx for share.

 


Iams3le
Forum|alt.badge.img+11
  • Author
  • Veeam Legend
  • 1374 comments
  • February 25, 2025

Thank you ​@Chris.Childerhose and ​@Link State! With Windows Admin Center 2401, you should be able to manage Windows LAPS without needing a third party solution.
- According to Microsoft, you can install a modernized gateway build of Windows Admin Center side-by-side with a legacy gateway build as long as you don't choose the same ports for both installations as shown below.
 

This has actually saved me the time searching for a solution that would work with Windows LAPS. Therefore, I will update the article with an image of how LAPS can be retrieved via WACmg.
 


Comment