Compatibility mess breaks not one but two Windows password tools

Integrating the Local Administrator Password Solution (LAPS) into Windows and Windows Server that came with updates earlier this week is causing interoperability problems with what's called legacy LAPS, Microsoft says.

Redmond touted the LAPS integration in the April 11 KB5025224 and KB5025239 cumulative updates, writing that "Windows LAPS is a huge improvement in virtually every area beyond Legacy LAPS."

However, users found that installing the new Windows LAPS could break both that and the Legacy LAPS.

"If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break," Microsoft writes. "Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6."

The vendor is working on a fix, but in the meantime as a workaround, users can either uninstall Legacy LAPS or delete all registry values under the HKLM\Software\Windows\CurrentVersion\LAPS\State registry key.

LAPS isn't a new product to Microsoft. Admins use the tool to manage passwords on local administrator accounts by regularly rotating them and backing them up to on-premises Active Directory.

"LAPS has proven itself to be an essential and robust building block for AD enterprise security on premises," wrote Jay Simmons, a software engineer with Microsoft. "We'll affectionally refer to this older LAPS product as 'Legacy LAPS.'"

• While Twitter wants to sell its verification, Microsoft will do it for free on LinkedIn
• Microsoft mucks with PrtScr key for first time in decades
• Microsoft's Garage band offers album of experimental Excel jazz
• Microsoft switches gears, keeps Exchange Online's CARs around until Sept 2024

With the April 11 security update, Microsoft announced LAPS integration with Windows 10 and 11 Pro, EDU, and Enterprise editions, Windows Server 2019 and 2022, and Windows Server Core 2022.

Redmond said the tool in Windows is natively integrated as an inbox feature and "is ready to go out-of-the-box," so users no longer have to install an external MSI package. Future fixes and updates will be provided through the regular patching process.

The integration comes with new capabilities for both on-premises AD environments and upcoming Azure AD for cloud scenarios, which is in private preview now but will transition to public preview later this quarter. Among the new features are enhanced policy management, automatic password rotation, a dedicated event log, and a new PowerShell module.

According to Microsoft, the benefits of Windows LAPS go beyond regularly rotating and managing local admin account passwords. The tool also will protect organizations against pass-the-hash and lateral-traverse attacks, improve security for remote help desks, and enable admins to sign into and recover devices that otherwise would be inaccessible.

It also delivers access control lists and optional password encryption for security passwords stored in Windows Server AD and support for the Azure role-based access control model for securing passwords stored in Azure AD. ®