New LAPS Support
Now that Microsoft released the new LAPS with the recent 4/11/23 cumulative updates, does PDQ Inventory need updates to accommodate decrypting the LAPS credentials?
It seems like in its current state, I am getting "LAPS Username or Password is incorrect" when testing the LAPS functionality in PDQ. I also verified that the LAPS credentials have the permissions to decrypt.
2
Comments
Hey Jeremy DeRoy I found this comment while looking for announcement by PDQ about this issue.
They'll definitely need to release an update. The design of the (new) Windows LAPS product is intended to use a whole different set of AD Schema attributes (unless it's running in legacy mode).
Windows LAPS
Windows LAPS schema and rights extensions for Windows Server Active Directory | Microsoft Learn
Attribute: msLAPS-EncryptedPassword
Microsoft LAPS (the old 2016 MSI version)
How to Configure Microsoft Local Administrator Password Solution (LAPS)
Attribute: ms-Mcs-AdmPwd
Hopefully the PDQ team will have an update out to support the new schema soon!
I am a bit surprised that there is zero info from PDQ yet. As they do Patch Day articles and videos, they must be aware of the new LAPS integration. I got everything prepared to switch, just waiting for PDQ support.
We are looking into this. We haven't been able to fully test the compatibility just yet. Microsoft has acknowledged a bug that can cause LAPS to break in certain situations where the legacy LAPS was in use. There may be other problems that we're not aware of yet. I'll let you know when we have an update.
You can read more here: Windows LAPS overview | Microsoft Learn
Just curious if anyone from PDQ can give us an update on this as we are almost to the June 13th Patch Tuesday. I know Microsoft has stated they've fixed some of the initial issues with Windows LAPS from the April 2023 release of it.
UPDATE: the May 9th, 2023 update contains a fix for issue #1 on all supported Windows LAPS platforms. The fix prevents the issue from reoccurring in future, but does not immediately solve the problem of the local password not matching the AD-stored password. The passwords will be made consistent the next time the legacy LAPS CSE runs during a GPO refresh and sees an expired password expiry time in AD. You can accelerate that process by manually forcing a pwd expiry via Reset-AdmPwdPassword.
Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce\honor the legacy LAPS policy, which may be disruptive (for example if done during OS deployment workflow). Disable legacy LAPS emulation mode may also be used to prevent those issues.
Any information about this going forward would be greatly appreciated as I'm sure a lot of people are watching for a fix for PDQ Inventory/Deploy to be used with the newest version of LAPS
The code is currently being tested and vetted and will be available in a nightly before Patch Tuesday.
Andrew just curious (or whoever wants to answer). I know you said it was being tested and vetted, but do you have any updated information such as its now all working as intended with the newest version of LAPS?
Nathan Glassburner There is a nightly that is out that enables support for the new Native Windows LAPS. This is alpha level software, so please don’t expect it to be perfect and bug free, but just wanted to get it in anyone’s hands who wants to try it and provide feedback in this thread. Thanks to anyone who tries and provides feedback! Hopefully if all goes well we will promote to beta and release, depending on outcomes of the nightly.
PDQ Deploy https://download.pdq.com/release/19/Deploy_19.3.427.0.exe
PDQ Inventory https://download.pdq.com/release/19/Inventory_19.3.427.0.exe
Feedback appreciated, either in a support ticket, or on discord.
https://help.pdq.com/hc/en-us/requests/new
https://discord.gg/pdq
So far its working like a charm. Was able to set Windows LAPs to all our computer OUs and set up PDQ Deploy/Inventory to use the LAPS user with privileges to read passwords and scanning and deployments are working as expected.
Thanks PDQ and Andrew!
Thanks for the feedback! Glad that you got it up and running.
Nathan Glassburner did you follow certain documentation for migrating from legacy LAPS to the 'new' LAPS in the AD domain ?
Vihren, I just came into this position about 3 months ago, and there wasn't a Legacy LAPS installation, so I was able to just transition straight into using the "New" LAPS. I was right on the cusp of installing Legacy when the announcement came out in April of its release.
Alright, thanks. I will go with what is available or wait for the stable PDQ deployment and short guide from their side.
Andrew Pla,
Does the v. 19.3.427.0 support both legacy LAPS and Windows LAPS or just the latter ?
Vihren Todorov It works with both.
Great, I installed it and it works with LAPS 2.0 policies.
Is there a general hint how to revert to an older release if necessary ?
Will the nightly release automatically get a notification for the beta/stable versions later on ?
If you want to go back a version, just uninstall the current version and install the previous version. Your database and settings will not be affected.
Keep your eyes on our releases page: Releases | PDQ
Hi all.
I have a problem with new LAPS.
I installed PDQ beta, both Inventory and Deploy.
Then I configured new laps and migrated all computers on it.
Verified that user is able to authenticate and most clients on my Inventory works just fine.
But I have some cases that:
a) Scan fails and displays: Unable to determine LAPS password (it worked just fine before)
b) Scan fails and displays: The user name or password is incorrect (it worked just fine before)
In AD I can see both AD attributes populated:
msLAPS-Password HAS value (new laps)
ms-Mcs-AdmPwd HAS value (old laps)
Is PDQ maybe prioritizing old AD attribute (which has for sure wrong password)?
Thanks!
OK seems that I found core issue for case a) above
If computer name has more than 15 characters (AD limit) then it`s like this:
computer name in AD: PC-computer-nam
CN attribute: PC-computer-nam
Computer name in PDQ: PC-computer-name
Computer name in DNS: PC-computer-name.domain.loc
Now funny thing is that old LAPS is working just fine, as soon as I add new laps it says wrong password (it is still reading ms-Mcs-AdmPwd value I guess)
If I delete ms-Mcs-AdmPwd value it says: Unable to determine LAPS password and it WON`T read msLAPS-Password attribute as it should.
So this happens only if computer name is too long...
Please also disregard issue b) in above post, that was my problem...
Hi!
We are using the new LAPS with PDQ Deploy/Inventory version 19.3.440.0
We get an error, "Unable to determine LAPS password"
Our local LAPS account is "Administratör" with an ö. Is this the problem, or is it that our LAPS passwords are encrypted?
The domain user that PDQ uses to read LAPS passwords is working, I've tried starting ADUC as that user, and I can succesfully view the password in plaintext
Best regards, Johan