Policy
Enable password encryption
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10
When you enable this setting, the managed password is encrypted before being sent to Active Directory. Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above. If this setting is enabled, and the domain functional level is at or above Windows Server 2016, the managed account password is encrypted. If this setting is enabled, and the domain functional level is less than Windows Server 2016, the managed account password is not backed up to the directory. If this setting is disabled, the managed account password is not encrypted. This setting will default to enabled if not configured. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| Computer | Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value name ADPasswordEncryptionEnabled | REG_DWORD | HKLM 1 | HKLM 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.