If you’ve installed April’s Patch Tuesday update, there’s a likelihood that you’ve encountered an interoperability issue between the new Windows Local Administrator Password Solution (LAPS) and legacy LAPS policies. The update featured a new integration between Windows LAPS on Windows 10, Windows 11, and Windows Server 2019 or newer releases.
For those not familiar, Windows LAPS is a tool designed to help IT admins manage and back up passwords for local administrator accounts on Azure Active Directory-joined or Windows Server Active Directory-joined devices. It can also be used to manage and back up the Directory Services Restore Mode (DSRM) account password on the Windows Server Active Directory domain controllers.
According to Microsoft:
There is a legacy LAPS interop bug in the above April 11, 2023 update. If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break.
Microsoft has indicated that some of the main tale-tell signs include Windows LAPS event log IDs 10031 and 10032, and legacy LAPS event ID 6. The company has indicated that it’s currently working on a fix to patch this issue.
However, till the fix is available, Microsoft has provided a workaround for the issue. If you’ve encountered this issue and would like to get rid of it, you’ll need to uninstall legacy LAPS under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key. Alternatively, you can delete all registry values.
Have you encountered this issue? Let us know in the comments.