Microsoft enhanced Windows LAPS in the Insider Program to retrieve encrypted passwords from AD when there are no operational controllers

Windows Insiders were in for a treat last week: alongside a new build to the Beta Channel, Microsoft has released a new build, Windows 11 Insider Preview Build 27695, to the Canary Channel. This update, the first since August 15, brings many improvements, including enhancements to the Windows Local Administrator Password Solution (LAPS), among other additions and bug fixes. Particularly noteworthy is the change in the expiration date for Canary Channel builds, now set for September 15, 2025, starting with build 27691.

One of the standout features of this update is the new position for the Widgets entry-point on left-aligned taskbars. This change aims to provide users with richer content visibility from their widgets directly on the toolbar, enhancing the overall user experience.

Microsoft has also significantly improved Windows LAPS. This enhancement allows for recovering encrypted passwords from Active Directory backup media even when no AD domain controllers are operational. It’s a game-changer for security, offering much better protection than the traditional method of storing clear-text passwords in Active Directory.

For those interested in the technical side, the Windows LAPS password encryption leverages the Cryptography API: Next Generation Data Protection API (CNG DPAPI). This means that encrypted passwords can still be recovered in the unfortunate event of a disaster where no AD domain controllers are running. This is possible through the Get-LapsADPassword PowerShell cmdlet, which can now perform a purely local operation to decrypt passwords using keys found in the snapshot browser. It’s a critical advancement for maintaining security and access in dire situations.

The update also includes a variety of changes and improvements across the board. For instance, some Insiders in the Canary Channel will now see an estimated time for how long their PC will be offline during the installation of Build 27695. This estimate aims to improve the update experience by providing users with more information upfront. There’s now an option to turn off suggestions to disable notifications from certain apps, giving users more control over their notification preferences.

This update also makes sharing content to an Android device from Windows easier. Users must pair their Android device to their Windows PC using the Link to Windows app on Android and Phone Link on their PC. Moreover, the Widgets Board has received an update to improve security and the APIs for creating widgets and feeds for users in EEA regions. This update lays the groundwork for new widgets and features to roll out soon.

As for fixes, Microsoft has addressed several issues in File Explorer, Task Manager, and Windows Sandbox, among others, to enhance the stability and usability of Windows 11. However, it’s important to note that there are still known issues, such as the potential loss of Windows Hello pin and biometrics for signing into PCs on new Copilot+ PCs joining the Canary Channel from other channels.

The Windows 11 Insider Preview Build 27695’s full changelog is here.