CMMC Level 2 Windows LAPS Setup Guide for Small Contractors

Shared local admin passwords are a gift to attackers. For small contractors working toward CMMC Level 2, they also create a clear gap in least privilege and audit trails.

In this Windows LAPS setup guide, I’ll show the approach I use for lean IT teams. My goal is simple, unique local admin passwords, protected retrieval, fast rotation, and evidence I can hand to an assessor without guessing later.

In my Small Business IT work, I see this same gap across Cloud Infrastructure, Office 365 Migration, Data Center Technology, Restaurant POS Support, and Kitchen Technology Solutions. Windows LAPS fits broader Cybersecurity Services, Endpoint Security, and Device Hardening, and it supports the kind of Innovative IT Solutions, Tailored Technology Services, Cloud Management, Technology Consulting, Infrastructure Optimization, Digital Transformation, IT Strategy for SMBs, Secure Cloud Architecture, Managed IT for Small Business, and Business Continuity & Security that a real Business Technology Partner should deliver.

Start with the right LAPS version

As of March 2026, I default to built-in Windows LAPS on supported Windows 10, Windows 11, and Windows Server systems. The old product, usually called legacy Microsoft LAPS, needed a separate client-side extension and used older AD attributes. Built-in Windows LAPS is native, supports Active Directory and Entra ID, and gives me better auditing and more flexible policy options.

Option	Best fit	Main note
Legacy Microsoft LAPS	Short-term transition	Uses old AdmPwd attributes and older tooling
Built-in Windows LAPS	New deployments	Native Windows feature with AD or Entra backup
Mixed environment	Phased migration	Don’t target the same device with both policy models unless planned

If I inherit legacy LAPS, I isolate it, then migrate in waves. I don’t leave both models fighting over the same endpoint. Microsoft’s Windows LAPS overview is the best baseline if you need feature detail before rollout.

Windows LAPS setup in on-prem Active Directory

For small contractors with classic domain-joined workstations, this is still the cleanest starting point. I keep the scope tight, usually one workstation OU first, then expand after I validate retrieval and rotation.

I follow these steps:

1. Update the AD schema
   Run Update-LapsADSchema from a management host with the LAPS PowerShell module.

2. Grant computers permission to write their password data
   Use Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=contoso,DC=com".

3. Delegate retrieval and reset rights separately
   Use Set-LapsADReadPasswordPermission for a small reader group, and Set-LapsADResetPasswordPermission for a separate reset group. I never hand broad read access to general admins if I can avoid it.

4. Create and link a GPO
   Go to Computer Configuration > Policies > Administrative Templates > System > LAPS. At minimum, I set:

   • Configure password backup directory = Active Directory
   • Name of administrator account to manage
   • Password age (days) = usually 7 to 14
   • Password length = at least 15
   • Password complexity
   • Post-authentication actions
   • Post-authentication reset delay

   If the domain supports it, I also turn on AD password encryption and restrict decryptors to a dedicated group.

5. Force policy and test
   Run gpupdate /force, then Invoke-LapsPolicyProcessing. To verify, I use Get-LapsADPassword -Identity "PC-001" and Find-LapsADExtendedRights -Identity "OU=Workstations,DC=contoso,DC=com".

For exact policy references, I keep Microsoft’s policy settings for Windows LAPS and Active Directory deployment guide in the change record.

Entra ID and hybrid Windows LAPS setup

For Entra-joined or hybrid devices, I usually deploy Windows LAPS through Intune. In the Settings Catalog, or under account protection, I set the backup target to Microsoft Entra ID and keep the assignment limited to a tested device group first.

Hybrid needs a clear decision. I pick one backup location per device, not both. If a workstation still backs up to on-prem AD, I leave it there until that wave is complete. Split-brain admin password storage wastes time and creates bad evidence.

Retrieval also needs tighter control in Entra. I assign only the permissions needed to read or rotate local admin passwords, and if the tenant has Privileged Identity Management, I make those roles eligible instead of permanent. After a break-fix session, I rotate the password right away, either by policy processing or by using Reset-LapsPassword on the endpoint.

Microsoft’s Windows LAPS in Microsoft Entra ID explains the cloud workflow. For the broader compliance side, I also keep Microsoft’s CMMC Level 2 identification and authentication guidance in scope, because LAPS supports least privilege and access control, but it does not prove compliance by itself.

Validate rotation, keep evidence, and harden access

Once policy is live, I run three tests, initial backup, password retrieval by the approved group, and forced rotation after use. On the client, I check Applications and Services Logs\Microsoft\Windows\LAPS\Operational. In AD, I confirm only the right groups have extended rights. In Entra, I review audit records for password read and rotate actions.

I never store a live LAPS password in a ticket, chat, or email. I record who retrieved it, why, and when it was rotated.

If something breaks, the usual causes are simple. Most often, the schema update never happened, OU self-permissions are missing, legacy LAPS settings still apply, or the device is pointed at the wrong backup directory for its join state.

For CMMC discussions, I keep a small evidence pack: GPO backup or Intune policy export, delegated group membership, redacted event logs, change tickets, and a signed test record showing rotation worked. That gives me something concrete for least privilege, protected credential handling, and auditability.

A final hardening checklist keeps the deployment honest:

• Use built-in Windows LAPS for new work, not shared local admin passwords.
• Separate readers from resetters, and review membership every quarter.
• Turn on AD password encryption where supported.
• Set short password age for admin-accessed endpoints, usually 7 to 14 days.
• Use post-auth reset actions so borrowed credentials expire fast.
• Retain redacted evidence, never the password itself.

Shared admin passwords are still one of the easiest footholds to remove. When I finish a solid Windows LAPS setup, I get tighter access control, better audit evidence, and less lateral movement risk. If your team is small, start with one OU or one Intune group this week, then build from there.