Microsoft is investigating an interoperability bug between the Local Administrator Password Solution (LAPS) feature recently added to Windows and legacy LAPS policies.
Windows LAPS helps administrators manage local administrator account passwords on Azure Active Directory or Windows Server Active Directory joined devices by automatically rotating and backing them up on AD domain controllers.
However, a few days after the announcement, the company confirmed reports that applying the April 2023 Updates will break both legacy LAPS and newly released Windows LAPS.
“There is a legacy LAPS interoperability bug in the [..] Update April 11, 2023. If you install the old LAPS GPO CSE on a machine patched with the April 11, 2023 security update and a Legacy LAPS policy applied, Windows LAPS and Legacy LAPS will crash,” Microsoft explain.
“Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as the old LAPS event ID 6. Microsoft is working on a fix for this issue.”
Until a patch is available to resolve this issue, Microsoft has shared a workaround to help administrators restore LAPS functionality in on-premises Active Directory scenarios.
This requires either uninstalling Legacy LAPS or deleting all registry values under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key.
Why switch to Windows LAPS?
Microsoft says LAPS is now natively integrated into Windows as an inbox feature and will be serviced through standard Windows patching processes.
“Starting with the April 11, 2023 Security Update, LAPS is natively integrated into Windows with new features for on-premises AD scenarios and upcoming benefits of Azure Active Directory (currently in private preview)” , Microsoft said.
“Some of the new features include rich policy management, automatic rotation, dedicated event log, new PowerShell module, hybrid support, and more.”
In addition to adding new functionality, using Windows LAPS to periodically rotate and back up local administrator account passwords also provides a security boost:
- Protection against pass-the-hash and lateral-traversal attacks
- Improved security for remote support scenarios
- Ability to connect and recover otherwise inaccessible devices
- A fine-grained security model (access control lists and optional password encryption) to secure passwords stored in Windows Server Active Directory
- Support for Azure role-based access control model to secure passwords stored in Azure Active Directory