Windows LAPS EventIDs and XPath Queries

The Local Administrator Password Solution (LAPS) is a vital tool for managing and securing local administrator accounts in Windows environments. Microsoft recently released an updated version of Windows LAPS, introducing new Event IDs to help administrators monitor and manage their environment effectively. In this blog post, we'll explore these Event IDs and discuss how you can use them to enhance your security and monitoring strategies.

Policy Processing Cycle Start and End Event IDs

These Event IDs allow administrators to monitor the start and end of LAPS policy processing:

• 10003: LAPS policy processing is now starting.
• 10004: LAPS policy processing succeeded.
• 10005: LAPS policy processing failed with an error code.

Policy Configuration Details Event IDs

Keep track of how your LAPS policy is configured with these Event IDs:

• 10021: Policy is configured to back up the password to Windows Server Active Directory.
• 10022: Policy is configured to back up the password to Azure Active Directory.
• 10023: Windows LAPS is configured to use a legacy Microsoft LAPS policy.

Password Update Confirmation Event IDs

Monitor successful password updates with these Event IDs:

• 10018: LAPS successfully updated Active Directory with the new password.
• 10029: LAPS successfully updated Azure Active Directory with the new password.
• 10020: LAPS successfully updated the local admin account with the new password.

Blocked External Password Modification Event ID

Detect and monitor attempts to modify passwords externally:

• 10031: LAPS blocked an external request that tried to modify the password of the current managed account.

Post-Authentication Action Event IDs

Monitor post-authentication actions and status with these Event IDs:

• 10041: LAPS detected a successful authentication for the currently managed account, and a background task has been scheduled for post-authentication actions.
• 10042: The post-authentication grace period expired per policy; configured post-authentication actions will now be executed.
• 10043: LAPS failed to reset the password for the currently managed account; the system will continue retrying the password reset operation.
• 10044: LAPS successfully reset the password for the currently managed account and completed all configured post-authentication actions.

Uncategorized Event ID

This Event ID highlights issues with legacy LAPS policy settings:

• 10033: The machine is configured with legacy LAPS policy settings, but a legacy LAPS product is installed. The password will not be managed by Windows until the legacy product is uninstalled or newer LAPS policy settings are configured.
• 10066: LAPS received an LDAP_INSUFFICIENT_RIGHTS error trying to update the password using the LAPS password attribute. You should update the permissions on this computer's container using the Set-LapsADComputerSelfPermission cmdlet
• 10017: LAPS failed to update Active Directory with the new password. The current password has not been modified.
• Error code: 0x80070032
• 10015: The managed account password needs to be updated due to one or more reasons (0x1A06)

Account does not have a password expiration attribute
The policy authority has changed
The policy is configured for password encryption but the encrypted password attribute was not found
The policy was changed to specify a different password encryption target
Local state is missing and/or inconsistent with directory state

• 10009: LAPS is configured to backup passwords to Active Directory.
• 10055: LAPS is using the following domain controller:

DCName: DC01.XXXX.XXXX

• 10052: LAPS is processing the current policy per normal background scheduling.
• 10011: LAPS failed when querying Active Directory for the current computer state. Error code: 0x80070031
• 10054: LAPS is processing the current policy in response to a Group Policy change notification.
• 10057: LAPS was unable to bind over LDAP to the domain controller:
  %
  DCName: XXX.XXX.COM
  Error code: 0x31

Get-WinEvent PowerShell Example

In addition to understanding the new Windows LAPS Event IDs, you can also use PowerShell to monitor your environment effectively. Here's a simple example of how to use PowerShell to query the Microsoft-Windows-LAPS/Operational log for events with the Event ID 10033:

$Filter = @'
<QueryList>
    <Query Id="5" Path="Microsoft-Windows-LAPS/Operational">                
        <Select Path="Microsoft-Windows-LAPS/Operational">*[System[(EventID=10033)]]</Select>                                               
    </Query>
</QueryList>  
'@
Get-WinEvent -LogName "Microsoft-Windows-LAPS/Operational" -FilterXPath $Filter

XPath Queries and Excel Spreadsheet

Additionally, all the XPath queries are available on my GitHub repository, and you can download the Excel spreadsheet containing the Event IDs. These resources will help you easily integrate the Event IDs into your monitoring strategy.

Microsoft-Sentinel/LAPS-All-EventIDs.xml at main · Kaidja/Microsoft-Sentinel

Microsoft Sentinel related content. Contribute to Kaidja/Microsoft-Sentinel development by creating an account on GitHub.

GitHubKaidja

Conclusion

Understanding and monitoring the new Windows LAPS Event IDs is essential for keeping your environment secure and well-managed. By keeping track of these Event IDs, you can identify potential security risks, track policy configurations, and ensure smooth password management. Make sure to integrate these Event IDs into your monitoring strategy to maintain a secure and efficient Windows environment.