A few days ago, Microsoft announced the availability of Windows LAPS (Local Administrator Password Solution) through Patch Tuesday. This feature is also available on Windows 10, Windows 11 and Servers.
Since its release though, Microsoft has confirmed interoperability issues with legacy LAPS. When Legacy LAPS (MSI package) is installed on machines with the latest Patch Tuesday updates, legacy as well as newer Windows LAPs are broken. Typically, an event log ID 10031 or 10032 is generated with the message “LAPS blocked an external request that attempted to modify the password of an existing managed account.”
So is Microsoft Been issued A workaround for the bug:
We have confirmed a reported LAPS interop bug in the above-mentioned April 11, 2023 update. If you install Legacy LAPS GPO CSE on a patched machine with the April 11, 2023 security update and Legacy LAPS policy applied, both Windows LAPS and Legacy LAPS will be broken. Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue. You can resolve this issue by either: a) uninstalling legacy LAPS, or b) deleting all registry values. HKLM\Software\Microsoft\Windows\Current Version\LAPS\State registry key.
On its LAPS overview page, Microsoft also provides a more detailed description of the two documented issues:
Problem No. 1: If you install Legacy LAPS CSE on a device patched with the April 11, 2023 Security Update and Legacy LAPS policy applied, both Windows LAPS and Legacy LAPS will enter a broken state where any feature managed account has Word will not update. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue.
There are two basic solutions to the above problem:
a Uninstall the legacy LAPS CSE (result: Windows will take over management of the LAPS managed account)
b Disable legacy LAPS emulation mode (result: legacy LAPS will take over managed account management)
Problem No. 2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce the legacy LAPS policy, which can be disruptive (eg if the OS deployed during the workflow). Disabling the legacy LAPS emulation mode can also be used to prevent these issues.
You can find more details about LAPS and Microsoft issues here. website.
update: A senior Microsoft executive has announced that the issue will be fixed in the next release for each affected operating system.
Fixes for the LAPS MSI issue will be available in the next release for each affected OS. Thanks for your patience! https://t.co/UFYhccxpHi
— Clifford in the Snow (@brdpoker) April 14, 2023
Thanks for the tip binaryzero!
