Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • RapidLAPS passwordless login
  • Passphrases for LAPS
  • Unified policy management
  • What's new in the Lithnet Access Manager Service
  • New features
  • Deprecated features
  • Removed features
  • Changed features
  • What's new in the Lithnet Access Manager Agent
  • New features
  • Removed features
  • Deprecated features
  • Changed features

Was this helpful?

What's new in Access Manager v3

Lithnet Access Manager v3 - the latest major release of Access Manager - is an exciting new release that's sure to revolutionize the way you use LAPS in your organization!

RapidLAPS passwordless login

We've made typing in long and complicated LAPS passwords a thing of the past!

Have you ever had to communicate a LAPS password over the phone? Are you tired of having to type in a complicated LAPS password over and over again, just to install some software?

With RapidLAPS, using just a QR code, or PIN, you can log into any LAPS-enabled computer, with the managed LAPS account, without ever having to type the LAPS password!

RapidLAPS integrates into the Windows lock screen and admin elevation prompts, allowing you to speed up the LAPS process wherever you use local admin accounts!

The great news is that this feature works, whether you are using Windows LAPS, legacy LAPS, or the Access Manager agent to manage your LAPS passwords.

Passphrases for LAPS

In the scenarios where RapidLAPS isn't available or can't be used, we can still simply the process for users by using passphrases instead of randomly generated complex passwords.

Passphrases are available on all operating systems that support the Access Manager agent, configurable by custom policy that even lets you have full control of the word lists used to generate them.

So even if you do have to type in LAPS passwords, they're going to be as easy as possible to use!

Unified policy management

AMS Agent settings are now unified across all supported client operating systems; you can target policies at AMS, Active Directory and Entra ID groups, organizational units and devices.

Active Directory-joined devices can now be managed by, and backup their local administrator passwords to the AMS server directly.

Windows, macOs, and Linux devices can now use Windows authentication to register with the AMS server, removing the need to issue registration keys when devices are joined to an Active Directory domain.

This means that wherever your devices are, or the directory they're tied to - managing LAPS configuration is as seamless as possible!

What's new in the Lithnet Access Manager Service

New features

  • Active Directory-joined devices can now be managed by, and backup their local administrator passwords to the AMS server directly.

  • AMS Agent policies can now be configured directly in the UI, unified across all supported client operating systems

    • Policies can be targeted at AMS, Active Directory and Entra ID groups, organizational units and devices.

  • Added autocompletion support to the computer search box in the Web UI

  • Added support for custom help messages presented to users in the event of an authorization error

  • Added support for delivering JSON-formatted auditing events to Splunk HEC

  • Added support for custom word lists that can be used to generate passphrases

  • Added support for 'automatic JIT access group creation' rules to assign a Unix-style 'gidNumber' attribute to created groups

Deprecated features

  • Retrieval of Lithnet encrypted LAPS passwords from Active Directory.

Removed features

  • Entra-registered clients running the Access Manager agent can no longer use Entra authentication. Devices must be Entra-joined in order to authenticate with the Access Manager server.

    • Note: Entra ID-registered devices can still register with AMS via registration tokens.

Changed features

  • The Lithnet Access Manager Service now requires Microsoft .NET 8.0

What's new in the Lithnet Access Manager Agent

The agent now supports passphrases, backing up BitLocker recovery keys for Windows devices, and enables our new RapidLAPS feature on Windows.

New features

  • RapidLAPS login and elevation

  • Password management updates

    • Ability to generate passphrases for local administrator accounts.

    • Ability to manage the password for an account other than the built-in administrator account.

    • Ability to create a new local managed account if it doesn't already exist.

      • Note: Windows and MacOS only

    • Ability to backup BitLocker encryption keys to AMS.

      • Note: Windows only

  • Devices can now use Windows authentication to register with the AMS server, removing the need to issue registration keys when devices are joined to an Active Directory domain.

  • Windows devices will now attempt to create AMS authentication certificates protected by the computer's TPM, if available

Removed features

  • The Access Manager Agent no longer writes LAPS passwords to Active Directory. All LAPS passwords are saved to the Access Manager server itself.

  • The v3 Access Manager Agent can only communicate with a v3 server. Therefore, the Access Manager Server must be upgraded to v3 before upgrading the clients to v3. Note, that v2 agents will continue to work with the v3 server.

  • The Access Manager Agent no longer supports using Entra-based authentication for Entra-registered devices. The device must be Entra-joined to be able use Entra authentication.

  • Windows 8.1 and Windows Server 2012 are no longer supported.

  • Support for agents running on ARM32-based Linux operating systems is no longer available

Deprecated features

  • The Lithnet Access Manager custom Active Directory schema is no longer used by the agent

Changed features

  • The Lithnet Access Manager Agent for macOS and Linux now requires Microsoft .NET 8.0

  • The Lithnet Access Manager Agent for ARM64 versions of Windows requires .NET Framework 4.8.1

  • The Lithnet Access Manager Agent for x86 and x64 versions of Windows requires .NET Framework 4.7.2 or higher

  • Group Policy is no longer used to manage the Access Manager Agent for Windows. All policy settings are configured via agent policies on the Access Manager Server

PreviousLicensingNextChange log

Last updated 9 months ago

Was this helpful?

Customization of the web app, including adding a custom logo, is now an feature.

enterprise edition