Atitej's avatar
Atitej
Copper Contributor
Jul 18, 2023
Status:
Completed

PAA 'Reset the password and reboot' fails when device is manually rebooted before PAA is executed

We are currently using the following PAA option within the LAPS policy:   "Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed...
Atitej's avatar
Atitej
Copper Contributor
Aug 07, 2023

JaySimmons I've managed to get the preview build installed (19045.3271) and did some testing:

 

Process run as LAPS admin: PAA execute after an hour like configured

Login as LAPS admin: PAA execute after an hour like configured

 

Process run as LAPS admin and manually reboot: PAA executes after 30 minutes after the device is booted up

Login as LAPS admin and manually reboot: PAA executes 30 minutes after the device is booted up

 

So the original problem was that if you would login as the LAPS admin and manually reboot, it would not execute the PAA and therefore not reboot and change the LAPS password like it's configured in Intune.

 

Now it does seem to execute the PAA after a manual reboot, but only after 30 minutes.. I can see the following in the LAPS event log when the device is manually rebooted:


#################################

Eventid: 10025

Azure discovery failed.
Error code: 0x800706BA
See https://go.microsoft.com/fwlink/?linkid=2220550 for more information.

 

Eventid: 10043

LAPS failed to reset the password for the currently managed account. The password is considered expired due to an authentication event. LAPS will continue retrying the password reset operation until it succeeds.
Account name: <Account Name>
Account RID: 0x3E9
Password reset retry count: 0
Error code: 0x800706BA

#################################

 

And after 30 minutes it will execute the PAA:

 

#################################

Eventid: 10042

The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed.
Account name: <Account Name>
Account RID: 0x3E9

#################################

 

I'm assuming this will cause confusion among our users who will be using the LAPS admin as they don't know exactly when the device will restart again.

 

The best solution for this would be when the LAPS admin is used and the device is manually  rebooted, the PAA will be executed immediately without the reboot. As the user already rebooted the device which is part of the PAA, there is no point in waiting another 30 minutes for the device to restart itself again. This would mean as soon as the device reboots, the LAPS password will be updated and there will be no scheduled reboot.

 

I hope I made sense. Is this something which can be implemented? Or will we be running into limitations of LAPS?