A few days back, Microsoft announced the availability of Windows LAPS (Local Administrator Password Solution) via the month's Patch Tuesday. The feature is available on Windows 10, Windows 11 and also on servers.
Since its release though, Microsoft has confirmed interoperability issues with legacy LAPS. When legacy LAPS (MSI package) is installed on machines with the latest Patch Tuesday updates installed, both legacy, as well as the new Windows LAPs breaks. Typically, an event log ID 10031 or 10032 is produced with the message "LAPS blocked an external request that tried to modify the password of the current managed account."
Microsoft has also issued a workaround for the bug:
We have verified a reported legacy LAPS interop bug in the above April 11, 2023 update. If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break. Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue. You can work around this issue by either: a) uninstalling legacy LAPS, or b) deleting all registry values under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key.
On its LAPS overview page, Microsoft has also provided a more detailed description of the two issues being documented:
Issue #1: If you install the legacy LAPS CSE on a device patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will enter a broken state where neither feature will update the password for the managed account. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue.
Two primary workarounds exist for the above issue:
a. Uninstall the legacy LAPS CSE (result: Windows LAPS will take over management of the managed account)
b. Disable legacy LAPS emulation mode (result: legacy LAPS will take over management of the managed account)
Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce\honor the legacy LAPS policy, which may be disruptive (for example if done during OS deployment workflow). Disable legacy LAPS emulation mode may also be used to prevent those issues.
You can find more details on LAPS and the issues over on Microsoft's website.
Update: A senior Microsoft exec has announced that the the issue will be corrected in the next release for each of the affected operating systems.
Fixes for the LAPS MSI issue will be available in the next releases for each affected OS. Thanks for your patience! https://t.co/UFYhccxpHi
— Clifford in the Snow (@brdpoker) April 14, 2023
Thanks for the tip binaryzero!
15 Comments - Add comment