PAA 'Reset the password and reboot' fails when device is manually rebooted before PAA is executed
MicrosoftAwesome, thank you Atitej for confirming the fix is working as expected - much appreciated.
>>The best solution for this would be when the LAPS admin is used and the device
>>is manually rebooted, the PAA will be executed immediately without the reboot.
I assume what you meant was "the PAA will be executed immediately after the reboot"? If so I agree with you that that is one possible minor optimization, but I'm not making any further PAA changes in this regard.
Consider that there are numerous environmental reasons why PAA might not be able to complete the expected password rotation - untimely reboots are just one such issue, also consider network availability, network line-of-sight timing, etc. These issues are outside of the control of the PAA feature, which is why I explicitly kept the retry behavior as simple as possible, using a basic retry-every-30-minutes mechanism. I don't see the current behavior as confusing nor do I see it as a limitation. The goal of the PAA feature is to update the managed account password after the PAA expiry period, but we do not (and cannot) make any hard SLA guarantees as to when that will happen.
If you are still not satisfied with the current behavior, one option you can consider would be to manually force a pwd rotation after use, either via a remote PSH session calling the Reset-LapsPassword cmdlet, or (for Intune-managed) devices via the remote Intune pwd-reset feature.
Jay