Microsoft is working on a fix for a bug it introduced with the latest Patch Tuesday cumulative updates.
In a security advisory published earlier this week, the tech giant said that installing the April 11 cumulative updates, KB5025224 and KB5025239, breaks a feature known as Windows Local Administrator Password Solution (LAPS).
Although it’s not in the same league as the best password manager, this feature does help administrators manage passwords for local admin accounts on Azure Active Directory-joined, or Windows Server Active Directory-joined devices, by rotating and backing them up to AD domain controllers automatically, BleepingComputer reports.
Workaround available
This month, the Patch Tuesday update includes the integration of Windows LAPS on Windows 10, Windows 11, and Windows Server 2019. But applying the patch breaks both legacy LAPS and new LAPS.
“There is a legacy LAPS interop bug in the [..] April 11, 2023 update. If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break,” Microsoft said. “Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue.”
A patch is still in the works, so the only way to address the issue is via a workaround. According to Microsoft, admins can either uninstall legacy LAPS or delete all registry values under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key.
LAPS will now become native to Windows and will be updated through the standard Windows update process, Microsoft confirmed.
“Starting with the April 11, 2023 security update, LAPS is natively integrated into Windows with new capabilities for on-premises AD scenarios and forthcoming Azure Active Directory benefits (currently in private preview),” the advisory reads.
“Some of the new features include rich policy management, automatic rotation, dedicated event log, new PowerShell module, hybrid-joined support, and more.”
Via: BleepingComputer (opens in new tab)
