Event ID 10025: Azure discovery failed
Quick note: If you are just setting up the policy and seeing this error, you might just need a reboot.
Problem: I was testing the new Intune Windows LAPS saving local admin password to Azure AD (now named Entra ID) to manage an already created Windows local administrator account, but I was doing a bunch of changes within a small time frame to test different settings. This seems to have caused an issue with one laptop continually stating it needed to change the password but another event ID showed the password policy was not triggered and no change was needed. Almost like two policy settings existed and were competing to apply. I assume this happened when I was doing the changes and since it was unable to find the policy setting for the change it would fail to discover the policy to confirm the changes within Intune. I originally tried setting all settings to Not Configured/Disabled, confirmed Event Viewer Event ID 10024 showed LAPS was disabled, removed the device group, set new settings, added the device group, and checked Event Viewer. I had the same results even after a reboot, one machine worked the other had the same issues.
Solution: A new policy. After many searches online, most said it was due to the device enrollment state. My solution was to disable the policy be removing the device group from the scope and confirming within Event Viewer Event ID 10024 stating LAPS is disabled. Then I created a new policy with all the same settings. Event viewer showed Error Event ID 10025 on both machines, but after a reboot they worked as intended. The password showed up in Azure AD and Intune properly.
A new Event ID 10015 appeared stating:
“The managed account password needs to be updated due to one or more reasons (0X13):
The current password has expired
The policy authority has changed
Local state is missing and/or inconsistent with directory state”
I assume the new policy is the policy authority. This is probably why reusing the old policy and disabling/changing settings didn’t work since there was already something having an issue with that policy within the machine.