LAPS has always been a good solution for local admin password management requirements.
But it is only working with on-prem active directory where we have feasibility to store the passwords in any of the available attributes.
When it comes to finding something same for Azure AD devices, Microsoft has not given anything yet for this.
I tried many blogs and websites as well as tried script something to tackle this situation where I can use this while implementing Autopilot with Intune.
And thanks to Alex Link who created a wonderful script and I found it very helpful in my case.
Requirements:
- Targeted devices must be running on latest Windows 10, in my case I have only tested it on 1809 build so far.
- For MDM I have used Intune, during implementing Autopilot.
- It also requires Azure subscription with storage account Link for BLOB and Azure tables (to store the password in place of AD attributes).
Now let me tell you the process….
Need to understand that how it works actually?
First, it requires LAPS application should be installed on the device, it can be achieved through script which I will be mentioning below or with the existing process, but the problem is with existing process, you can not control what should go first? Because when reset script run LAPS must be available on the device on first hand.
So, lets do everything with the help of scripts. It will go in few simple steps:
Step 1:
First, LAPS application Link upload to BLOB storage Link and get the SAS signature Link , that will be used in script to download it from BLOB.
Link to download first script.
Step 2:
First script will run on the device under system context and will request the executable file on the device and install it.
Step 3:
Once installed, second script (which will run immediately after completing the installation in first script, which is already getting triggered in the end of first script) will reset the targeted local admin passwords and it will be saved into Azure tables safely, need not to worry about the password travel, will be secured with HTTPS.
Script will also install a schedule task that will change the password every 3 months. But only if the device has the internet access.
Link to download second script.
Step 4:
Now it comes to retrieving the passwords, whenever it’s the requirement. Here is the last script comes in picture, you can convert this script into application to provide to your helpdesk so script would not be exposed. Retrieval of the password is also secured, even if somebody gets the access of storage tables, password will not be visible in clear text.
Link to download Getpassword script.
And this is how you will get the result once the get password application runs:
Please feel free to reach out to us if you have any queries and need any help with above solution or any other help related to Microsoft technologies.
Hi Dinesh,
really useful post, please have a look at https://www.srdn.io/2018/09/serverless-laps-powered-by-microsoft-intune-azure-functions-and-azure-key-vault/ im currently using that one because it utilizes the key vault instead of blobs.
Cheers
LikeLike
Hi Jose, first of all thanks for reading my blog and sharing another way to acomplish this. Does your way schedule the task as well to reset the password for targeted frequencies?
LikeLike
Can we do it with Multiple local admin accounts
LikeLike
I can check and let you know.
LikeLike
Yes, you can do it with Multiple local admin accounts as well, I have tested and it is working, try and let me know.
LikeLike
Hi Dinesh,
Why do you actually install LAPS on the computers? As I can understand, it just gets installed but doesn’t really do anything after it is installed. Script number two generates the password, sets it on the administrator account(s) and uploads the password to Azure Tables. Is there something that I am missing?
Looking forward to your reply
LikeLike
First of all apologies for delay in response.
This is meant only for managing local admin passwords, it resets the local admin password and also schedules a task which will be resetting the password after every 60 days (you can set it whatever you want). IT help desk people who sometimes needs local admin password to troubleshoot on local computer also that password should not be the same forever, the way you have to reset the domain password after each cycle.
For more information: What does Microsoft LAPS do and not do?
LAPS provides the ability – via Group Policy – to randomize the password for a local admin account on a remote system joined to the domain. Policies control who can access the password. These passwords are then stored against the machine object in Active Directory and can be retrieved when access is needed to the account.
LAPS requires the system be on the domain, have a client-side extension loaded, and can ONLY manage the local admin account (even if it is renamed). LAPS does have the benefit of not requiring a functional account, and it is integrated into Active Directory. It does require a Client-Side Extension (CSE) on the client in order to function. In a nutshell, MS LAPS:
Does not support any other account/password changes besides the local admin
Does not support UNIX, Linux or OS X Mac accounts – only Windows
Does not offer any features for workflow, reporting, session monitoring, etc.
LikeLike
Here’s a “Password Rotation As a Service “solution that supports Azure AD joined computers, On Premises AD joined computers and soon to support Workgroup computers, MAC, UNIX systems too.
Secrets Vault by Synergix with special pricing for Edu and for Not-for-Profit organizations
https://www.synergix.com/products/secrets-vault/features/laps-for-azure-ad/
1. Password Rotation As a Service ( 3 local accounts )
a. Built-In Administrator Account
b. Alternate Administrator Account ( non S-500 account )
c. Restricted User Account
2. Inventory Information, used for correlation and data analytics
3. Auditing / Security Event Logs Forwarding
Know Who, What, When, Where, Why retrieve administrator password and actually used it for interactive logon or network logon purposes.
LikeLike
Thanks for sharing such a good alternate of password rotation solution, but it is paid.
I tried something which can be achieved with existing resources. But glad to see such researches on this solution.
LikeLike
Hi Dinesh,
You did not answer why LAPS is required in this case.
I checked Alex blog, everything is done with 3 scripts he has created.
The only one issue I see with these 3 scripts is that SAS Key in the script in plain text.
The rest is straight forward.
kind regards,
Ozzy
LikeLike
Thank you for sharing, I’m new to Intune implementation. Is their another article that explains how to use MDM Intune, during implementing Autopilot with storage account to run LASP.exe and Powershell.
LikeLike
Hi Ozzy,
I have followed the same scripts, he is also installing LAPS client, can you help me to understand what I am missing here?
Thanks,
Dinesh
LikeLike
Free Community Edition
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/synergixinc1585256339250.laps-for-intune?tab=Overview
LikeLike
i’m running into a issue with running the GetPassword.ps1, when i run it i get this result:
Invoke-WebRequest : The remote server returned an error: (400) Bad Request.
At C:\GetLAPS\GetPassword.ps1:71 char:17
+ … $Response = Invoke-WebRequest -Method Get -Uri $URI -Headers $Headers …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
ConvertFrom-Json : Cannot bind argument to parameter ‘InputObject’ because it is null.
At C:\GetLAPS\GetPassword.ps1:74 char:34
+ Return ,($Response.Content | ConvertFrom-Json).Value;
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ConvertFrom-Json], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ConvertFrom
JsonCommand
LikeLike
I ran into same issue, for me it was expired SAS signature from Azure table, from where it is pulling up the data. Try that and let me know.
LikeLike
Dinesh,
thank you for that and it did help, but i ended up with a new one any thoughts?
Invoke-WebRequest : AuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:8220b091-c01e-0018-25c4-3d12cd000000
Time:2021-04-30T13:28:06.5030911Zsr is mandatory. Cannot be empty
LikeLike
Dinesh,
here is a little more detail on the error:
Invoke-WebRequest : AuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:0603cb4a-901e-0088-55cd-3d8781000000
Time:2021-04-30T14:30:50.1141977ZSignature did not match. String to sign used was r
2021-04-30T14:03:50Z
2022-04-30T22:03:50Z
clearly i’m doing something wrong with the SAS signature.
LikeLike
Hi Steven, yes you are right, make sure while using the SAS signature you need to include complete URL starting from https://, else you may need to send the screenshot where you defining it, then only I can help you out.
Let me know if it works or not. Best of luck.
LikeLike
I realized i needed to use the SAS at the storage level so I’m getting this now:
Invoke-WebRequest : AuthorizationServiceMismatchThis request is not authorized to perform this operation using this service.
RequestId:172b1fbb-501e-003f-5819-408884000000
Time:2021-05-03T12:42:11.5016374Z
I took a look at the Access Control section and assigned me the Reader, Storage Blob Data Reader and Storage Blob Data Contributor. based this error. What do you think? None of these role assignments made a difference.
LikeLike