LAPS has always been a good solution for local admin password management requirements.
But it is only working with on-prem active directory where we have feasibility to store the passwords in any of the available attributes.
When it comes to finding something same for Azure AD devices, Microsoft has not given anything yet for this.
I tried many blogs and websites as well as tried script something to tackle this situation where I can use this while implementing Autopilot with Intune.
And thanks to Alex Link who created a wonderful script and I found it very helpful in my case.
Requirements:
- Targeted devices must be running on latest Windows 10, in my case I have only tested it on 1809 build so far.
- For MDM I have used Intune, during implementing Autopilot.
- It also requires Azure subscription with storage account Link for BLOB and Azure tables (to store the password in place of AD attributes).
Now let me tell you the process….
Need to understand that how it works actually?
First, it requires LAPS application should be installed on the device, it can be achieved through script which I will be mentioning below or with the existing process, but the problem is with existing process, you can not control what should go first? Because when reset script run LAPS must be available on the device on first hand.
So, lets do everything with the help of scripts. It will go in few simple steps:
Step 1:
First, LAPS application Link upload to BLOB storage Link and get the SAS signature Link , that will be used in script to download it from BLOB.
Link to download first script.
Step 2:
First script will run on the device under system context and will request the executable file on the device and install it.
Step 3:
Once installed, second script (which will run immediately after completing the installation in first script, which is already getting triggered in the end of first script) will reset the targeted local admin passwords and it will be saved into Azure tables safely, need not to worry about the password travel, will be secured with HTTPS.
Script will also install a schedule task that will change the password every 3 months. But only if the device has the internet access.
Link to download second script.
Step 4:
Now it comes to retrieving the passwords, whenever it’s the requirement. Here is the last script comes in picture, you can convert this script into application to provide to your helpdesk so script would not be exposed. Retrieval of the password is also secured, even if somebody gets the access of storage tables, password will not be visible in clear text.
Link to download Getpassword script.
And this is how you will get the result once the get password application runs:
Please feel free to reach out to us if you have any queries and need any help with above solution or any other help related to Microsoft technologies.
Hi Dinesh,
really useful post, please have a look at https://www.srdn.io/2018/09/serverless-laps-powered-by-microsoft-intune-azure-functions-and-azure-key-vault/ im currently using that one because it utilizes the key vault instead of blobs.
Cheers
LikeLike
Hi Jose, first of all thanks for reading my blog and sharing another way to acomplish this. Does your way schedule the task as well to reset the password for targeted frequencies?
LikeLike
Can we do it with Multiple local admin accounts
LikeLike
I can check and let you know.
LikeLike
Yes, you can do it with Multiple local admin accounts as well, I have tested and it is working, try and let me know.
LikeLike