Windows LAPS integration via April 2023 update causes trouble for administrators

Windows[German]Microsoft has integrated its Local Administrator Password Solution (LAPS) directly into the Windows operating system with the April 2023 patchday (April 11, 2023). This was done due to "popular demand" from enterprise customers, as Microsoft wrote. However, this move caused serious issues for administrators who installed the old LAPS client on non English Windows. In


Advertising

LAPS now shipped with Windows

Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that can automatically manage and secure the password of a local administrator account on devices mounted in Azure Active Directory or Windows Server Active Directory. This Microsoft Local Administrator Password Solution (LAPS) provides local administrator account password management for computers joined into a domain.

Windows LAPS can also be used to automatically manage and secure the Directory Services Repair Mode (DSRM) account password on Windows Server Active Directory domain controllers. An authorized administrator can retrieve and use the DSRM password. Passwords are randomly ordered and stored in Active Directory (AD) and protected by ACLs.

Until now, however, an administrator had to install a corresponding client under Windows to do this. Only in Windows 11 Insider Previews did Microsoft experiment with integrating the LAPS client into the operating system. On April 11, 2023, the LAPS client was then automatically rolled out with the cumulative security updates to all supported Windows systems (see the articles linked at the end of the article on the security updates for Windows 10 and Windows 11/Sever 2022). Microsoft had provided the following notice in the support posts:

New! This update implements the new Windows Local Administrator Password Solution (LAPS) as a Windows inbox feature.

Microsoft had published the Techcommunity post By popular demand: Windows LAPS available now! on this topic. Based on customer requests, they had made LAPS available for both cloud and on-premises environments starting April 11, 2023, in the following operating systems.

  • Windows 11 Pro, EDU and Enterprise
  • Windows 10 Pro, EDU and Enterprise
  • Windows Server 2022 and Windows Server Core 2022
  • Windows Server 2019

In doing so, Microsoft intended to support administrators, who don't having to manually install the client in question. Details about the new features and benefits can be read in the Techcommunity post. Microsoft plans to provide future fixes or feature updates via the normal Windows Updates. This is actually a good idea, but the comments on Jay Simmons' blog post in the Techcommunity show that there is a need for discussion.


Advertising

Trouble with build in LAPS

Unfortunately, this move seems to have gone pretty wrong for Microsoft once again. Within my German blog, reader 1St1 had already hinted at problems on April 12, 2023 in this comment (thanks for that, had seen that but didn't have time to pick it up right away), and summarized the following details on April 13, 2023 in this comment:

The new LAPS works not only with an on-premises AD, but now also with an Azure AD (or Intune). It now also changes the DSRM password on domain controllers. Interestingly, LAPS now changes the local admin password every time you used it, I don't know if that's a bit too much of a good thing. It also supports new interesting GPO settings, you can now enable password history for example, which is interesting if you need to restore a system back to a time before the last LAPS password change.

But if you already use LAPS, you have already established one or the other automatic deployment in AD for the LAPS agent, which installs the previous agent on a system, which you have newly installed and added to AD. Now there is a problem, if you install the previous LAPS agent on a system with the April updates, LAPS does not work, it is broken.

But the solution is quite simple, you check in the deployment script for the existence of c:\windows\system32\laps.dll and if present you abort the script. LAPS will still work with the LAPS agent now hardcoded in Windows if you have already enabled it in the domain (appropriate GPO settings, schema extension).

What is not clear to me yet is whether the new GPO settings, especially the LAPS password history need another schema extension. I haven't read all the links for that yet though, I first had to make sure that the old LAPS agent is no longer autodeployed if the April 2023 update is already on the machine. These advanced settings can be seen in the screenshot at the following link, I haven't discovered them in our group policies yet, maybe you have to import a new ADMX there first.

As of April 14, 2023, blog reader Jonas then pointed out the problem again in this comment:

Important note for those who have the legacy LAPS in use.

You will break both (!) LAPS variants if you install the legacy version of LAPS after installing the April updates (which is the case in our environment, since in our automated OS installation the latest MS updates are applied first – we haven't tested it yet).

I picked this up in the recent Reddit patchday thread (see also).

Jonas points out that Microsoft already lists the ison in an info box at the support article  Legacy LAPS Interop issues with the April 11 2023 Update:

The April 11, 2023 update has two potential regressions related to interoperability with legacy LAPS scenarios. Please read the following to understand the scenario parameters plus possible workarounds.

Issue #1: If you install the legacy LAPS CSE on a device patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will enter a broken state where neither feature will update the password for the managed account. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue.

Two primary workarounds exist for the above issue:

a. Uninstall the legacy LAPS CSE (result: Windows LAPS will take over management of the managed account)

b. Disable legacy LAPS emulation mode (result: legacy LAPS will take over management of the managed account)

Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce\honor the legacy LAPS policy, which may be disruptive (for example if done during OS deployment workflow). Disable legacy LAPS emulation mode may also be used to prevent those issues.

So the move went pretty wrong. At this point my thanks to all readers who contacted me about the topic here on the blog or by mail.

Procedure for German systems

Mark Heitbrink had already pointed out the issue in internal Facebook groups (I had seen) and wrote me another mail with hints yesterday (thanks for that). He said that there was trouble from the LAPS corner, and the mess was once again due to lack of care. It looks like the English language Windows implementations are being tested, while the administrators of other languages are left in the cold with Windows.

Mark Heitbrink has posted an article Migration LAPS Legacy zu LAPS native for German-speaking admins, describing what integrating the LAPS client into Windows with the April 2023 updates will means, if LAPS is already deployed in the enterprise environment. Might want to review for any administrator using LAPS in the enterprise (use deepl.com to translate).

Similar articles:
Microsoft Security Update Summary (April 11, 2023)
Patchday: Windows 10 Updates (April 11, 2023)
Patchday: Windows 11/Server 2022 Updates (April 11, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (April 11, 2023)
Patchday: Microsoft Office Updates (April 11, 2023)
Microsoft April 2023 Patchday-Nachlese


Advertising

This entry was posted in Allgemein. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).