LAPS Implementation - Warning (10108) showing on clients (msLAPSCurrentPasswordVersion attribute has not been added to the Active Directory Schema)

[Guest /u/k1m404]

Hi all,

 

We have recently implemented [Windows] LAPS and for the most part, this works. PCs update their local admin account passwords and these are successfully stored in AD. One thing bugging me is that all of the clients are showing a warning multiple times in the day - event ID 10108, with the description "The msLAPSCurrentPasswordVersion attribute has not been added to the Active Directory schema. This attribute is used to detect torn state conditions caused by OS image rollback scenarios. All primary scenarios will function without this attribute however it is recommended that administrator fix this by re-running the latest Update-LapsADSchema cmdlet."

 

I have run [iCODE]Update-LapsADSchema[/iCODE] on the DC, however, this has not fixed the issue and all clients are still showing this warning. There is nothing returned from running [iCODE]Update-LapsADSchema.[/iCODE] Has anyone experienced this previously and what was the solution?

 

For the most part, LAPS works for us. [iCODE]Set-LapsADComputerSelfPermission[/iCODE] was run on the OU containing the OU that the clients are in, however, I don't think this is the issue as client is able to write it's local admin password to the directory.

 

We are running Windows Server 2019 (September 2024 Update (OS Build 17763.6293)).

 

Clients are running Windows 11 Enterprise (24H2, October 2024 Update (OS Build 26100.2300)).

 

Edit 1: I have run [iCODE]Update-LapsADSchema -verbose[/iCODE] and dumped the output into a text file. There is no mention of msLAPSCurrentPasswordVersion in the output from this cmdlet.

 

Edit 2: The Windows Insider Blog highlights this issue and says "To enable this feature, you must first run the latest version of the [iCODE]Update-LapsADSchema[/iCODE] PowerShell cmdlet. Windows LAPS will note the presence of the new attribute and start using it." - how is [iCODE]Update-LapsADSchema[/iCODE] updated? I tried [iCODE]Update-Module -Name LAPS[/iCODE], however, this, as expected, fails as it wasn't installed using [iCODE]Install-Module[/iCODE].

 

Edit 3: I attempted to run [iCODE]Update-LAPSADSchema[/iCODE] using PowerShell 7 on the suggestion of u/rosskoes05, however, this yielded the same results. From the [iCODE]-verbose[/iCODE] log:

 

[iCODE]VERBOSE: The 'computer' classSchema already has a required mayContain: msLAPS-PasswordExpirationTime[/iCODE]

 

[iCODE]VERBOSE: The 'computer' classSchema already has a required mayContain: msLAPS-Password[/iCODE]

 

[iCODE]VERBOSE: The 'computer' classSchema already has a required mayContain: msLAPS-EncryptedPassword[/iCODE]

 

[iCODE]VERBOSE: The 'computer' classSchema already has a required mayContain: msLAPS-EncryptedPasswordHistory[/iCODE]

 

[iCODE]VERBOSE: The 'computer' classSchema already has a required mayContain: msLAPS-EncryptedDSRMPassword[/iCODE]

 

[iCODE]VERBOSE: The 'computer' classSchema already has a required mayContain: msLAPS-EncryptedDSRMPasswordHistory[/iCODE]

 

[iCODE]VERBOSE: The 'computer' classSchema already has all expected LAPS-related mayContains[/iCODE]

 

Edit 4: DCs updated with the October 2024 CU. No change when running [iCODE]Update-LapsADSchema[/iCODE]. Verbose indicates this cmdlet doesn't even try to add the missing attribute [iCODE]msLAPS-CurrentPasswordVersion[/iCODE])

 

Answer: As found by u/dsekelj, this functionality is only available in Windows Server 2025+ (Source: Windows LAPS architecture).

 

Thanks!

 

submitted by /u/k1m404

[link] [comments]

 

Continue reading...