Can Vault be used for Windows PAM?

I am a software developer, so I believe I have a decent understanding of Vault as it relates to secrets management for data sources. What I am struggling with, however, is how/if Vault can be used for Windows OS secret management.

Does Vault have support for rotating local Administrator passwords on Windows servers? And if not at the moment, is that a roadmap feature?

I am asking because when looking at things like IBM Security Privilege Vault and BeyondTrust Password Safe, I see secrets management for Windows Operating Systems and data sources. Those platforms also come with APIs for retrieving those secrets for use within things like bespoke apps.

I am looking to start a discussion for someone (like me) trying to quickly evaluate whether we can use Vault for PAM both on-premise and in the cloud for endpoints like Windows servers.

No responses? Is there anyone with some thoughts?

Vault does not support this.

So after a bit of research on this, it appears as though Microsoft Local Administrator Password Solution (LAPS) would be a good solution if your goals are to just rotate the local Administrator password on a Windows Machine.

LAPS does not cover PAM (e.g. limited duration accounts/privileges), but I will be doing some testing with Vault over OpenSSH to see what’s possible. If anyone has already attempted this, I’m sure sharing your feedback here would be helpful to people looking at this post in the future. So, any good samaritans reading this post that have tried integrating Vault with Windows via OpenSSH, you’re welcome to reply to this post.

As far as privileged account discovery and other PAM features, I suppose there is an argument that you could discover (or control) that utilising Ansible. So, create a list of “Allowed local administrators” and have Ansible open tickets in your ITSM if resources are found on your network with local administrators outside of your list of known users (or even automatically remove those accounts if you’re brave enough).


Why not use Powershell to update your password in Windows And Use Vault API to update the static secret in Vault ?