New LAPS Support

Now that Microsoft released the new LAPS with the recent 4/11/23 cumulative updates, does PDQ Inventory need updates to accommodate decrypting the LAPS credentials?

It seems like in its current state, I am getting "LAPS Username or Password is incorrect" when testing the LAPS functionality in PDQ. I also verified that the LAPS credentials have the permissions to decrypt.

2

Comments

19 comments
Date Votes
  • The code is currently being tested and vetted and will be available in a nightly before Patch Tuesday.

    1
  • Andrew just curious (or whoever wants to answer).  I know you said it was being tested and vetted, but do you have any updated information such as its now all working as intended with the newest version of LAPS?

    1
  • So far its working like a charm.  Was able to set Windows LAPs to all our computer OUs and set up PDQ Deploy/Inventory to use the LAPS user with privileges to read passwords and scanning and deployments are working as expected.

     

    Thanks PDQ and Andrew!

    1
  • Great, I installed it and it works with LAPS 2.0 policies. 

    Is there a general hint how to revert to an older release if necessary ? 

    Will the nightly release automatically get a notification for the beta/stable versions later on ? 

    1
  • OK seems that I found core issue for case a) above

    If computer name has more than 15 characters (AD limit) then it`s like this:

    computer name in AD:  PC-computer-nam
    CN attribute: PC-computer-nam
    Computer name in PDQ: PC-computer-name
    Computer name in DNS: PC-computer-name.domain.loc

    Now funny thing is that old LAPS is working just fine, as soon as I add new laps it says wrong password (it is still reading ms-Mcs-AdmPwd value I guess)
    If I delete ms-Mcs-AdmPwd value it says: Unable to determine LAPS password  and it WON`T read msLAPS-Password attribute as it should.

    So this happens only if computer name is too long...

    Please also disregard issue b) in above post, that was my problem...

    1
  • Hey Jeremy Deroy I found this comment while looking for announcement by PDQ about this issue.

    They'll definitely need to release an update.  The design of the (new) Windows LAPS product is intended to use a whole different set of AD Schema attributes (unless it's running in legacy mode). 

    Windows LAPS

    Windows LAPS schema and rights extensions for Windows Server Active Directory | Microsoft Learn

    Attribute: msLAPS-EncryptedPassword

     

    Microsoft LAPS (the old 2016 MSI version)

    How to Configure Microsoft Local Administrator Password Solution (LAPS)

    Attribute: ms-Mcs-AdmPwd

    Hopefully the PDQ team will have an update out to support the new schema soon!

    0
  • I am a bit surprised that there is zero info from PDQ yet. As they do Patch Day articles and videos, they must be aware of the new LAPS integration. I got everything prepared to switch, just waiting for PDQ support.

    0
  • We are looking into this. We haven't been able to fully test the compatibility just yet. Microsoft has acknowledged a bug that can cause LAPS to break in certain situations where the legacy LAPS was in use. There may be other problems that we're not aware of yet. I'll let you know when we have an update.


    You can read more here: Windows LAPS overview | Microsoft Learn

    0
  • Just curious if anyone from PDQ can give us an update on this as we are almost to the June 13th Patch Tuesday.  I know Microsoft has stated they've fixed some of the initial issues with Windows LAPS from the April 2023 release of it.

     

    UPDATE: the May 9th, 2023 update contains a fix for issue #1 on all supported Windows LAPS platforms. The fix prevents the issue from reoccurring in future, but does not immediately solve the problem of the local password not matching the AD-stored password. The passwords will be made consistent the next time the legacy LAPS CSE runs during a GPO refresh and sees an expired password expiry time in AD. You can accelerate that process by manually forcing a pwd expiry via Reset-AdmPwdPassword.

    Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce\honor the legacy LAPS policy, which may be disruptive (for example if done during OS deployment workflow). Disable legacy LAPS emulation mode may also be used to prevent those issues.

     

    Any information about this going forward would be greatly appreciated as I'm sure a lot of people are watching for a fix for PDQ Inventory/Deploy to be used with the newest version of LAPS

    0
  • Nathan Glassburner  There is a nightly that is out that enables support for the new Native Windows LAPS. This is alpha level software, so please don’t expect it to be perfect and bug free, but just wanted to get it in anyone’s hands who wants to try it and provide feedback in this thread. Thanks to anyone who tries and provides feedback! Hopefully if all goes well we will promote to beta and release, depending on outcomes of the nightly.

    PDQ Deploy https://download.pdq.com/release/19/Deploy_19.3.427.0.exe

    PDQ Inventory https://download.pdq.com/release/19/Inventory_19.3.427.0.exe

    Feedback appreciated, either in a support ticket, or on discord.
    https://help.pdq.com/hc/en-us/requests/new
    https://discord.gg/pdq

    0
  • Thanks for the feedback! Glad that you got it up and running.

    0
  • Nathan Glassburner did you follow certain documentation for migrating from legacy LAPS to the 'new' LAPS in the AD domain ? 

    0
  • Vihren, I just came into this position about 3 months ago, and there wasn't a Legacy LAPS installation, so I was able to just transition straight into using the "New" LAPS.  I was right on the cusp of installing Legacy when the announcement came out in April of its release.

    0
  • Alright, thanks. I will go with what is available or wait for the stable PDQ deployment and short guide from their side.

    0
  • Andrew Pla,

    Does the v. 19.3.427.0 support both legacy LAPS and Windows LAPS or just the latter ? 

    0
  • Vihren Todorov It works with both.

    0
  • If you want to go back a version, just uninstall the current version and install the previous version. Your database and settings will not be affected.

    Keep your eyes on our releases page: Releases | PDQ

     

    0
  • Hi all.

    I have a problem with new LAPS.

    I installed PDQ beta, both Inventory and Deploy.
    Then I configured new laps and migrated all computers on it.
    Verified that user is able to authenticate and most clients on my Inventory works just fine.

    But I have some cases that:
    a) Scan fails and displays: Unable to determine LAPS password (it worked just fine before)
    b) Scan fails and displays: The user name or password is incorrect (it worked just fine before)

    In AD I can see both AD attributes populated:

    msLAPS-Password HAS value (new laps)
    ms-Mcs-AdmPwd HAS value (old laps)

    Is PDQ maybe prioritizing old AD attribute (which has for sure wrong password)?

    Thanks!

    0
  • Hi!

    We are using the new LAPS with PDQ Deploy/Inventory version 19.3.440.0
    We get an error, "Unable to determine LAPS password"

    Our local LAPS account is "Administratör" with an ö. Is this the problem, or is it that our LAPS passwords are encrypted?
    The domain user that PDQ uses to read LAPS passwords is working, I've tried starting ADUC as that user, and I can succesfully view the password in plaintext

    Best regards, Johan

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post