We are currently using the following PAA option within the LAPS policy:
"Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted."
When you login as the LAPS admin on the device the following event will be generated:
##############################
10042
The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed.
##############################
When you now reboot the device manually before PAA execute LAPS will follow up with the following events:
##############################
10047
A pending post-authentication reset timer has been rescheduled after a reboot.
10051
LAPS is updating the managed account password in response to a post-authentication action.
10030
LAPS is sending a message to the following endpoint.
https://enterpriseregistration.windows.net/XXXXXXX
10025
Azure discovery failed.
10005
LAPS policy processing failed with the error code below.
Error code: 0x800706BA
##############################
This results in the LAPS password not being updated in AzureAD which means the password can be used again and again untill the 'next password rotation' kicks in which is makes this solution unsecure.
The Microsoft docs tells us the following for eventid 10025:
1) Verify that you can connect successfully to the registration endpoint (https://enterpriseregistration.windows.net). If you open Microsoft Edge or Google Chrome and connect to the registration endpoint (https://enterpriseregistration.windows.net), you get a message "Endpoint not found". This message means you can connect to the Enterprise Registration Endpoint.
2) If you're using a proxy server, verify that your proxy is configured under the system context. You can open an elevated command prompt and run the netsh winhttp show proxy command to display the proxy.
We've tested this and visting https://enterpriseregistration.windows.net gives us the expected response ("Endpoint not found").
Also 10 minutes after the 10025 event it starts the processing the LAPS policy again which it does succesfully, but does not update the password as part of the PAA:
##############################
10016
The managed account password does not need to be updated at this time.
10004
LAPS policy processing succeeded.
##############################
This also shows there is no problem reaching https://enterpriseregistration.windows.net. We've tested this both on Windows 10 and Windows 11 with latest updates.