Tutorials 11 min read

Windows LAPS Troubleshooting: The Complete IT Helpdesk Guide for 2026

Windows LAPS replaced the legacy Microsoft LAPS tool, but migration is rarely clean. This helpdesk guide walks through the most common 2026 failures — rotation errors, Intune conflicts, Entra ID backup issues, and event log diagnostics — with PowerShell fixes that work.

Editorial Team
Windows LAPS Troubleshooting Guide 2026

Honestly, if your environment still relies on the legacy Microsoft LAPS MSI, you're on borrowed time. Microsoft retired the old tool ages ago, and every supported Windows 10, Windows 11, and Windows Server 2019+ build now ships Windows LAPS natively. In 2026, the question isn't should we migrate — it's why is our migration generating so many tickets?

This guide collects the Windows LAPS failures that actually show up in helpdesk queues. You know the ones: password rotation that silently stops, Intune policies that never apply, Entra ID backups that never appear in the portal, CSE conflicts with legacy LAPS, and those cryptic event log errors that send techs hunting for documentation that, frankly, doesn't exist. Every fix below has been validated against Windows 11 24H2/25H2, Windows Server 2025, Intune, and Entra ID as of April 2026.

So, let's dive in.

Windows LAPS vs. Legacy Microsoft LAPS: Why It Matters for Troubleshooting

Windows LAPS and legacy MS LAPS share a name and a purpose — and almost nothing else. Treating them the same is, by a wide margin, the most common cause of helpdesk tickets during migration.

Key Differences That Break Troubleshooting Assumptions

  • No separate agent. Windows LAPS is a built-in Windows component controlled by the LAPS CSE (Client Side Extension). There's no AdmPwd.dll to reinstall. Gone.
  • Two backup directories. Windows LAPS can back up to Active Directory or Entra ID — but not both simultaneously. Misconfigured policy is the #1 reason passwords never rotate.
  • Different AD attributes. Windows LAPS writes to msLAPS-Password, msLAPS-PasswordExpirationTime, and msLAPS-EncryptedPassword. Legacy LAPS used ms-Mcs-AdmPwd. Delegations from the old schema? They don't carry over.
  • Encryption by default. Modern Windows LAPS encrypts the password with a Domain Controller key. Tools that read the legacy cleartext attribute will fail silently — which is the worst kind of failure.
  • Its own event log. All Windows LAPS diagnostics live under Applications and Services Logs → Microsoft → Windows → LAPS → Operational.

Prerequisites Most Helpdesk Teams Miss

Before you start troubleshooting, confirm the environment actually supports Windows LAPS in the mode you've configured. A surprising number of tickets (in my experience, easily a third) are caused by skipped prerequisites, not bugs.

Operating System and Patch Level

  • Windows 11 22H2 with the April 2023 cumulative update or newer
  • Windows 10 22H2 with the April 2023 cumulative update or newer
  • Windows Server 2019, 2022, 2025 with current updates
  • For passphrase support and improved Entra ID integration: Windows 11 24H2 or 25H2

Active Directory Schema Extension

If you're backing up to Active Directory, the schema has to be extended. Run this once from an elevated PowerShell session on a domain controller with Schema Admin rights:

Update-LapsADSchema

Verify the extension succeeded:

Get-LapsADSchema
# Expected output includes: msLAPS-Password, msLAPS-EncryptedPassword,
# msLAPS-PasswordExpirationTime, msLAPS-EncryptedDSRMPassword

Entra ID Tenant Settings

For Entra-joined or hybrid-joined devices backing up to Entra ID, the tenant has to allow it:

  1. Sign in to the Entra admin center as Global Admin or Intune Admin.
  2. Navigate to Devices → All devices → Device settings.
  3. Set Enable Microsoft Entra Local Administrator Password Solution (LAPS) to Yes.
  4. Wait at least 15 minutes for the setting to propagate before testing rotation. (Sometimes longer — don't panic at minute 10.)

The Windows LAPS Event Log: Your First Stop

I'll say it plainly: ninety percent of Windows LAPS tickets can be solved by just reading the operational log. Open Event Viewer and expand Applications and Services Logs → Microsoft → Windows → LAPS → Operational, or query it from PowerShell:

Get-WinEvent -LogName "Microsoft-Windows-LAPS/Operational" -MaxEvents 50 |
    Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize -Wrap

Event IDs You'll See Most Often

  • 10004 — Policy successfully read from source (GPO, Intune, or local). Confirms the CSE sees a policy.
  • 10018 — Password successfully updated in the configured directory. The one you want to see.
  • 10021 — Password expiration time updated.
  • 10031 — Password expiration reached but rotation failed. Always read the accompanying error code.
  • 10033 — Failed to update password in Entra ID. Usually a device registration or permissions issue.
  • 10045 — Failed to update password in Active Directory. Usually permissions or replication.
  • 10056 — No backup directory configured. The CSE won't do anything until you set BackupDirectory.
  • 10070 — Both legacy LAPS and Windows LAPS are active. Legacy LAPS wins — fix the policy conflict.

The Five Most Common Windows LAPS Failures — and How to Fix Them

1. Password Never Rotates (No Errors, Nothing in the Log)

The most frustrating failure mode, bar none. The device is enrolled, the policy looks right, but msLAPS-PasswordExpirationTime just never moves forward.

Diagnosis. Run the built-in status cmdlet as admin:

Get-LapsDiagnostics -OutputFolder C:\Temp\LAPSDiag

This produces a zipped bundle containing the operational log, registry policy, CSE state, and a summary file. Open the summary first — it often names the exact misconfiguration, which can save you a good half hour of digging.

Most common root causes:

  • No BackupDirectory value set. If the policy is missing this one setting, the CSE logs event 10056 and does nothing. Set it to 1 (AD) or 2 (Entra ID).
  • Two conflicting policies. Legacy LAPS GPO plus Windows LAPS Intune policy on the same device — legacy wins. Disable or unassign the legacy GPO.
  • Account doesn't exist. The default is the built-in administrator. If you specified a custom AdministratorAccountName, the account must already exist on the device.
  • Password expiration hasn't been reached yet. Rotation happens when the existing password expires. To force a rotation manually:
Reset-LapsPassword

2. Error 0x80073a0d — "The requested directory is not available"

This one shows up in event 10045 when you're backing up to AD. The device is trying to write the password to AD but can't find a writable DC in its site, or the LDAP bind is failing.

Fixes, in order:

  1. Confirm the device has line of sight to a DC: nltest /dsgetdc:contoso.com
  2. Force a secure channel reset: Test-ComputerSecureChannel -Repair
  3. Confirm the computer account has SELF → Write permission on the LAPS attributes. The correct command to grant this is:
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=contoso,DC=com"

3. Error 0x80073c5a — "The password is too complex to be converted to a LAN Manager password"

This one appears on domains where the AD policy still mandates LM hashes (yes, really — ancient compatibility settings) or where a Fine-Grained Password Policy forbids the complexity Windows LAPS generates.

Fix:

  • Disable Network security: Do not store LAN Manager hash value on next password change — actually, it should be Enabled in every modern domain. If it isn't, that's a finding in itself.
  • If an FGPP applies to the computer OU, increase its maximum password length to at least 64 characters, or move computer accounts out of its scope.
  • In the LAPS policy, reduce PasswordLength from the default 20 to something that fits the FGPP — but really, fix the FGPP instead if you can.

4. Intune Policy Shows "Succeeded" but the Device Isn't Enrolled

Intune reports success because it delivered the CSP — but the CSE hasn't acted on it. Check the registry:

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Policies\LAPS"

If the key is empty or missing BackupDirectory, the CSP didn't merge. Common causes:

  • A conflicting account protection policy assigned to the same device group.
  • Windows LAPS policy assigned to a user group instead of a device group — it's device-scope only.
  • Device is co-managed and the Endpoint Protection workload is still on Configuration Manager. Move it to Intune.

Force a sync and re-evaluate:

Invoke-MdmMaintenanceTask
# Then wait five minutes and check the LAPS operational log for event 10004.

5. Entra ID Portal Shows No Local Admin Password

The device claims it backed up successfully, but the portal shows nothing under Device → Local administrator password recovery. Classic.

Checks:

  • Is the tenant setting enabled (see Prerequisites)? Changes can take up to an hour to replicate to all data centers.
  • Does the admin viewing the password have one of: Global Admin, Cloud Device Admin, Intune Admin, or the custom role with microsoft.directory/deviceLocalCredentials/password/read?
  • Is the device actually Entra-joined, not just Entra-registered? Run dsregcmd /status and confirm AzureAdJoined : YES.
  • Does the LAPS policy have BackupDirectory = 2 (Entra ID)? A value of 1 targets AD and will fail on pure Entra-joined devices.

Retrieving a Windows LAPS Password: The Supported Methods

From Active Directory

# Cleartext retrieval (if not encrypted):
Get-LapsADPassword -Identity "WKS-12345" -AsPlainText

# Encrypted retrieval (modern default):
Get-LapsADPassword -Identity "WKS-12345" -AsPlainText -DecryptionCredential (Get-Credential)

From Entra ID (PowerShell via Microsoft Graph)

Connect-MgGraph -Scopes "DeviceLocalCredential.Read.All"
Get-MgDeviceLocalCredential -DeviceLocalCredentialInfoId <DeviceObjectId> `
    -Property "credentials" |
    Select-Object -ExpandProperty Credentials

From the Entra Admin Portal

  1. Navigate to Devices → All devices and open the target device.
  2. Select Local administrator password recovery.
  3. Click Show local administrator password. This action is audited under Audit logs → Device → Recover device local administrator password.

Forcing a Password Rotation After a Suspected Compromise

When a support technician has been handed the local admin password and you want to rotate it immediately, don't wait for the expiration timer. There's no reason to.

# On the device itself:
Reset-LapsPassword

# Remotely via Invoke-Command:
Invoke-Command -ComputerName WKS-12345 -ScriptBlock { Reset-LapsPassword }

# Trigger from Intune: Devices → Select device → Rotate local admin password

The new password should appear in the directory within two minutes. Verify with event ID 10018 in the operational log.

Migrating From Legacy Microsoft LAPS Without Breaking Production

If you still have the legacy MS LAPS MSI installed, plan the migration in this order to avoid the dual-policy event 10070 storm (and trust me, it will be a storm if you skip steps):

  1. Extend the AD schema with Update-LapsADSchema. This adds new attributes without touching the legacy ones.
  2. Delegate permissions on OUs with Set-LapsADComputerSelfPermission.
  3. Pilot the Windows LAPS policy on a small test OU. Keep the legacy LAPS GPO disabled on this OU only.
  4. Validate that msLAPS-Password is being written and that retrieval works end to end.
  5. Stage the rollout OU by OU. For each wave, disable the legacy LAPS GPO before applying the Windows LAPS policy.
  6. Uninstall the legacy MSI via your endpoint management tool only after every device in an OU has rotated at least once under Windows LAPS.
  7. Remove the legacy attribute ms-Mcs-AdmPwd delegation once no device writes to it anymore.

Hybrid and Co-Managed Devices: The Edge Cases

Devices that are simultaneously AD-joined and Entra-registered (hybrid), or managed by both Configuration Manager and Intune (co-managed), carry the most troubleshooting overhead. This is where weird tickets live.

  • A hybrid device can only back up to one directory. If you want Entra ID, set BackupDirectory = 2 — just be aware an AD admin won't be able to retrieve the password from AD Users and Computers.
  • Co-managed devices need the Endpoint Protection workload slider pointing at Intune. If it's still on Configuration Manager, Intune LAPS policies are silently ignored. (There's that silent failure again.)
  • If your org uses both CMG and on-prem SCCM, confirm the client is actually healthy: ccmeval.exe on the device.

PowerShell Quick Reference for Windows LAPS

# Show all LAPS cmdlets:
Get-Command -Module LAPS

# Confirm the current effective policy on a device:
Get-LapsDiagnostics -OutputFolder C:\Temp\LAPSDiag

# Force immediate rotation:
Reset-LapsPassword

# Read from AD:
Get-LapsADPassword -Identity <computer> -AsPlainText

# Grant OU-level self-write:
Set-LapsADComputerSelfPermission -Identity <OU DN>

# Grant a group read access to passwords on an OU:
Set-LapsADReadPasswordPermission -Identity <OU DN> -AllowedPrincipals "Helpdesk Team"

# Grant password-reset access on an OU:
Set-LapsADResetPasswordPermission -Identity <OU DN> -AllowedPrincipals "Desktop Engineers"

# Audit who can read passwords:
Find-LapsADExtendedRights -Identity <OU DN>

Frequently Asked Questions

Is Windows LAPS free?

Yes. Windows LAPS is built into Windows 10 22H2, Windows 11 22H2+, and Windows Server 2019+. For Entra ID backup, the tenant just needs any Entra ID license (even the free one) — the feature itself isn't gated behind a premium SKU.

Can Windows LAPS and legacy Microsoft LAPS coexist on the same device?

Technically, yes — but only one will manage the password at a time. If both policies target the same account, the legacy LAPS CSE wins and Windows LAPS logs event 10070. In practice, treat coexistence as a migration phase only, never a steady state.

How do I reset a Windows LAPS password immediately?

Run Reset-LapsPassword as admin on the device, execute it remotely with Invoke-Command, or use Rotate local admin password in the Intune device actions menu. The new password appears in the backup directory within two minutes.

Where does Windows LAPS store the password?

In one of two places, depending on BackupDirectory: the msLAPS-Password or msLAPS-EncryptedPassword attribute on the computer object in Active Directory (value 1), or the deviceLocalCredentials object in Entra ID (value 2). It's never cached in readable form on the device itself.

Why is my Windows LAPS policy not applying from Intune?

Three usual suspects: the policy is assigned to a user group instead of a device group; a co-managed device still has the Endpoint Protection workload on Configuration Manager; or a conflicting Account Protection profile is winning. Check the LAPS operational log for event 10004 — if it's missing, the CSE never saw a policy.

Can I audit who has read a Windows LAPS password?

Yes. In Entra ID, every password read is logged under Audit logs → Recover device local administrator password. In Active Directory, enable Audit Directory Service Access on the OU and read events 4662 in the Security log, filtered by the LAPS attribute GUIDs.

Final Checklist Before Escalating

  • Is the OS at a supported patch level?
  • Is BackupDirectory set correctly for the join state?
  • Have you run Get-LapsDiagnostics and actually read the summary?
  • Is the operational log clean of events 10031, 10033, 10045, 10056, 10070?
  • Has the password actually expired, or are you just expecting it to have rotated?
  • Have you confirmed no legacy LAPS GPO is still applying?

Most Windows LAPS tickets get resolved at the diagnostic-bundle stage. Build the habit into your helpdesk runbook: operational log first, Get-LapsDiagnostics second, and escalation only after both have been checked. Your future self will thank you.

About the Author Editorial Team

Our team of expert writers and editors.

Related Articles