After the release of Windows Patch Tuesday LAPS, Microsoft is warning about legacy issues


Windows 11 and Windows 10 logo in red

A few days ago, Microsoft announced the availability of Windows LAPS (Local Administrator Password Solution) through this month’s patch. The feature is available on Windows 10, Windows 11 and also on servers.

However, since its release, Microsoft has confirmed interoperability issues with legacy LAPS issues. When legacy LAPS (MSI package) is installed on computers with the latest Patch Tuesday updates installed, both legacy as well as new Windows LAPS systems are broken. Typically, Event Log ID 10031 or 10032 is issued with the message “LAPS blocked an external request that attempted to change the password of the current managed account.”

Microsoft has too produced Solution to bypass the bug:

We have verified a legacy LAPS interop bug in the above 11 April 2023 update. If you install the legacy LAPS GPO CSE on a computer with the 11 April 2023 security update and a legacy LAPS policy applied, both Windows LAPS and legacy LAPS. Symptoms include Windows LAPS Event Log IDs 10031 and 10032, as well as Legacy LAPS Event ID 6. Microsoft is working on a fix for this problem. You can work around this problem by: a) uninstalling Legacy LAPS, or b) deleting All registry entries under HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State The registry key.

On its LAPS overview page, Microsoft also provided a more detailed description of the two documented issues:

Issue No. 1: If you install Legacy LAPS CSE on a device with the April 11, 2023 Security Update and the Legacy LAPS policy, both Windows LAPS and Legacy LAPS will enter a broken state where neither feature will update the password for the managed account. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this problem.

There are two main ways to circumvent the above problem:

A. Uninstall legacy LAPS CSE (result: Windows LAPS will take over managed account management)

B. Disable legacy LAPS emulation mode (result: legacy LAPS will take over the management of the managed account)

Issue No. 2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce/respect the legacy LAPS policy, which can be disruptive (eg if done during the OS deployment workflow). Disabling legacy LAPS emulation mode may also be used to prevent these issues.

You can find more details about LAPS and Microsoft’s issues Website.


Leave a Comment