Forum Discussion
Server 2025 - GPUpdate triggers immediate LAPS reset
So we're currently testing out the Public preview of Windows 2025 and have noticed some new behaviour when testing out joining the OS to our domain. Initially all works well, the system joins the domain and our LAPS GPOs take over managing the local administrator password, allowing some of our automation to retrieve the password and start running tasks against the system.
However one thing we've noticed is that as soon as a gpupdate is triggered on Server 2025 it causes LAPS to immediately reset the password again, something that doesn't occur on Server 2019 or 2022. This in turn causes our ansible automation to immediately begin failing because the credentials are now incorrect.
Does anyone know if this is intended behaviour? Or just a quirk of the Preview version? If it is intended behaviour is this something we can change? Given that it only seems to be happening for Server 2025 I'm hoping there might be some OS config we can change to stop it happening, but I'm not sure if we might need to make changes to our GPO instead.
6 Replies
- JaySimmons
Microsoft
DavidPower1985 - just pinging again to make sure you saw my request on the diagnostics log?
Hi JaySimmons
Apologies for the delayed response, I've been on holiday the last week or so and so was away from everything.
I hadn't seen your response before I found a workaround for this issue. I found that by temporarily adding a "PostAuthenticationResetDelay" registry key in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config with a value of 1 it prevented the LAPS reset being triggered immediately upon a GPUpdate being performed (Essentially putting a 1 hour delay on the reset of the password). Once our deployment processes are complete our automation then deletes the key to restore the original configuration.
I did manually take a look at the LAPS event logs when I was initially troubleshooting and the only thing that stood out was a notification that policies had changed and so it was triggering a LAPS password reset. The issue is that this notification was happening with every single GPUpdate, even when there had not been any changes to policy. All I can think is that perhaps there's some incompatibility with our Group policies and Server 2025 that is causing the policies to fail being applied, meaning that the system is seeing changes every time.- JaySimmons
Hi DavidPower1985 ,
Thanks for that information, and I'm glad you found a workaround.
That said, the behavior you describe is almost certainly a bug, but so far I cannot explain how. I have tried to repro this locally but no luck so far. Would you be able to send me a copy of the exact LAPS GPO config that is applied during your deployment procedures? This would help me to narrow this down.
Thx,
Jay
- JaySimmons
David,
Not a known issue. As a first step, please run the Get-LapsDiagnostics from an elevated PowerShell console and PM me with the resultant .zip file.
thx,
Jay
PS Thanks Karl for letting me know about this issue.JaySimmons you're welcome. Good luck for the investigation. Haven't had time to try a repro on my own.
DavidPower1985 the command will also fetch the Windows-LAPS Eventlogs, which are one of the most readable and structured I have seen in a long time 🙂
Can you tell more about the Host / VM OS build of WS 2025 preview?And also export your GPO settings as zip and attach here?
Hello just in case you have time fyi JaySimmons
