Can't get past LAPS Legacy Emulator Mode

[Guest /u/royalviewmtb]

After electing to go all in for Windows LAPS and replace Microsoft LAPS aka legacy LAPS, I'm having problems getting moved over. Currently I'm performing tests and once it works I'll implement domain wide.

 

When Windows Laps is switched over it supposedly initiates a password rotation and the date/time would reflect that (and it its not today) ...also the Source would not say "LegacyLaps~"

 

test of using Legacy or Windows LAPS

 

From what I've read and researched when the Windows Feature recognizes that legacy LAPS is working this is called Legacy Mode (and effectively doesn't implement itself). Today I read that adding a Registry Key String of BackupDirecory with a DWord value of 0 would be all that was now needed to tell Windows to move along and use the new LAPS features.

 

https://preview.redd.it/8w6pd78q9etd1.png?width=1148&format=png&auto=webp&s=661a941d261d8f8518869555c6fe59ad84aa2f27

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config

 

...Still after doing this the above is the apparent failed result. Windows Event Application Microsoft LAPS Operational Log has event 10024 saying LAPS is disabled and there is no 10023 event to state that its source is now Windows LAPS.

 

My test device is in a 'blocked inheritance' OU with only the GPO configured for Windows LAPS. GPO has nearly everything enabled and I set the Group using the "SID" wrapped in quotes. AD Schema is updated, Additionally these PS commands all done per instructions:

Set-LapsADComputerSelfPermission and Set-LapsADReadPasswordPermission at Root (should cover it all)

allowed principal is the same security group set in the GPO

 

find-lapsadextendedrights - output is consistent with what is expected

 

***beyond my limit and seeking therapeutic and possible shared experience or knowledge help here

 

We run in Windows 2016 Schema - Windows 2022 and 2019 server - mix of Win 10 and 11 desktops all of which have the Microsoft LAPS installed. Also all desktops are patched to include LAPS as a feature.

 

Recently we had a mobile device that was off the network long enough to have lost its domain trust / secure channel AND have LAPS rotate the password (happens on device) ...and so effectively prevented and domain creds and the LAPS account was now useless. In researching LAPS behavior to avoid this scenario in the future learned about Windows LAPS and its password history capability and how it is the future for new desktops. So need to figure this out and appreciate any insights you might provide.

 

submitted by /u/royalviewmtb

[link] [comments]

 

Continue reading...