This month's Patch Tuesday focused on more than just the usual collection of security patches and fixes. Microsoft also brought new features to Windows 11, including the new Windows LAPS inbox feature (Windows 11, 10, and Server 2019). However, the company now says this new Local Administrator Password Solution (LAPS) experience is causing issues for Legacy LAPS.
You may already be familiar with LAPS, which has been a part of the Microsoft Download Center for years. That legacy version is “used to manage the password of a specified local administrator account by regularly rotating the password and backing it up to Active Directory (AD). LAPS has proven itself to be an essential and robust building block for AD enterprise security on premises.”
Windows LAPS overhauls the service, offering the same features but also additional benefits. It is worth noting that Microsoft says the original LAPS will remain in the Download Center and will be known as Legacy LAPS.
Microsoft has confirmed that there are some interoperability issues with Legacy LAPS that can break both the new and the old features.
Interoperability Flaw Causing LAPS Broken States
According to the company, if Legacy LAPS is installed on machines with the latest Patch Tuesday updates, both Windows LAPS and Legacy LAPS will enter a broken state where neither feature will update the password for the managed account.
The company says it is working on a fix and has provided the following workaround in the meantime:
“We have verified a reported legacy LAPS interop bug in the above April 11, 2023 update. If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break. Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue. You can work around this issue by either: a) uninstalling legacy LAPS, or b) deleting all registry values under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key.”
Tip of the day: Windows now has a package manager similar to Linux called “Winget”. In our tutorial, we show you how to install and use this new tool that allows the quick installation of apps via PowerShell or a GUI.