Windows LAPS post-authentication bug

During my research and testing with the new Windows LAPS I have discovered a strange behavior for the post-authentication action. Continue reading if you are interested in the blog and how I was in contact with Microsoft resolving it.

View my full blog post: Windows LAPS: the comprehensive guide (oceanleaf.ch)

Post-authentication action

Windows LAPS allows to specify an action that will be triggered after the account managed by LAPS authenticated successfully. See the Microsoft docs for PostAuthenticationActions. This setting works in combination with PostAuthenticationResetDelay to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.

Intune configuration

Now you would assume that this post-authentication only happens for a successful authentication, that detected the effective usage of the account.

The bug/missing feature

I discovered that there was also an event viewer entry to trigger a post-authentication when the authentication with the LAPS managed account was not successful. This means, that regardless if the account really authenticated or was just approached with wrong credentials (brute-force) the post-authentication action will be triggered.

Brute-force account

LAPS detected a successful authentication

My contact with Microsoft

First, I directly wrote a mail to a Microsoft Engineer who I knew was working on LAPS to ask him if this is an expected behavior. He answered me, that I just found a bug — but there would not be a real security concern. For instance, rotating the password too often is not considered as a vulnerability. (But you should verify that you don’t have set to reboot)

To make sure everything follows the right process, I decided to open an MSRC (Microsoft Security Response Center) case. My report included a description, “how to abuse” and details on how to reproduce the issue. Microsoft analyzed the situation and they came to the conclusion that this is not a security vulnerability.

A fix (non-security) is expected in one of the upcoming Patch-Tuesdays. (Summer 2023)