Feature Request - New Windows LAPS Detection

[jamesaepp]

Thanks for the great software!

I recently installed a new forest and setup the new Windows LAPS introduced below.

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747

When running pingcastle 3.0.0.3, the LAPS check under anomalies is matched. I'm guessing Pingcastle is relying on the legacy LAPS implementation. It would be great to have a hybrid approach here to detect the new Windows LAPS systems (and its features). Other things that would be really cool to detect:

• Is the DFL high enough (2016) to support the LAPS password encryption features?
• Informational - Is password history configured with LAPS?
• Resolution of which users have effective rights to passwords (clear text or encrypted)
• Are DSRM passwords being rotated with Windows LAPS?
• Are post authentication actions enforced/configured?

etc.

[vletoux]

The latest beta version of PingCastle (available in the download portal if you are a registered user) includes this new feature. It will be also included in the next official version of PingCastle

[1mm0rt41PC]

Hello !

I have tested the version of PingCastle 3.2.0.1 with the new LAPS but it doesn't work properly. From the code https://github.com/vletoux/pingcastle/blob/933316dab78685caaf4e2cee3dd541511035e73a/Healthcheck/LAPSAnalyzer.cs#L34 PingCastle only check ms-LAPS-Password but my client use msLAPS-EncryptedPassword.

To avoid this LAPS conflict, is it possible to use msLAPS-PasswordExpirationTime instead ?