Microsoft: Windows LAPS is incompatible with legacy policies

Microsoft is investigating an interoperability bug between the recently added Windows Local Administrator Password Solution (LAPS) feature and legacy LAPS policies.

Windows LAPS helps admins manage passwords for local administrator accounts on Azure Active Directory-joined or Windows Server Active Directory-joined devices by automatically rotating and backing them up to AD domain controllers.

During this month's Patch Tuesday, Microsoft announced the integration of Windows LAPS on Windows 10, Windows 11, and Windows Server 2019 or newer releases. 

However, days after the announcement, the company confirmed reports that applying the April 2023 updates will break both legacy LAPS and the newly launched Windows LAPS.

"There is a legacy LAPS interop bug in the [..] April 11, 2023 update. If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break," Microsoft explains.

"Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue."

Until a fix is available to address this issue, Microsoft has shared a workaround to help admins restore LAPS functionality in on-premises Active Directory scenarios.

This requires either uninstalling legacy LAPS or deleting all registry values under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key.

Why switch to Windows LAPS?

Microsoft says LAPS is now natively integrated into Windows as an inbox feature and will undergo maintenance through the standard Windows patching processes.

"Starting with the April 11, 2023 security update, LAPS is natively integrated into Windows with new capabilities for on-premises AD scenarios and forthcoming Azure Active Directory benefits (currently in private preview)," Microsoft says.

"Some of the new features include rich policy management, automatic rotation, dedicated event log, new PowerShell module, hybrid-joined support, and more." 

Besides the addition of new capabilities, using Windows LAPS to regularly rotate and backup local administrator account passwords also provides a security boost:

• Protection against pass-the-hash and lateral-traversal attacks
• Improved security for remote help desk scenarios
• Ability to sign in to and recover devices that are otherwise inaccessible
• A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory
• Support for the Azure role-based access control model for securing passwords that are stored in Azure Active Directory