In this blog we will discuss about Windows Local Administrator Password Solution (LAPS) and its implementation steps.
LAPS is a Windows feature that automatically manages and backs up the password of a local administrator account on Azure Active Directory-joined or Windows Server Active Directory-joined devices. It provides administrators an easy way to manage privileged accounts passwords.
We can enable LAPS and manage the administrator password though Intune portal. Let’s find out how to enable and use it.
Enable Windows LAPS
To enable Windows LAPS we have to head to Azure AD and the devices blade and toggle on the relative setting.
Go to Azure AD -> Devices -> Device settings and enable “Enable Azure AD Local Administrator Password Solution (LAPS) (Preview)”.
Now that LAPS is enabled let’s create a policy to deploy and manage it.
Intune Policy Creation
To create a new LAPS Policy we have to initially create the local admin account (let’s name it for this example WindowsLocalAdmin) in the endpoints and then create a policy to apply password rotation and LAPS related actions.
The creation of the local administrator account can be done following various approaches:
- by using a Remediation script that checks if the account exists and if not creates it (preferred way)
- by packaging a PowerShell script in an win32 application and deploying to the endpoints (same as the above but we package the PowerShell script into a win32 app. Check here for packaging details.)
- by creating an Account protection profile that creates a local user group membership
Let’s explore all the above options.
Local Administrator through a remediation script
In this approach we will create a new Remediation script that will be deployed to the endpoints and check if our local admin exists, and if not it will create it.
Personally, I believe that this approach is the most suitable for what we are trying to achieve since we can get immediate feedback from the detection-remediation output.
Let’s check the 2 scripts initially, one for detection and one for remediation.
## Detection Script ##
$allAdmins = Get-LocalGroupMember -Group "Administrators"
$allAdminsNames = $allAdmins.Name
if ("WindowsLocalAdmin" -in $allAdminsNames){
Write-Host "Local admin exists. Remediation not needed."
# exit 0 to not remediate
exit 0
}
else{
Write-Host "Local admin doesn't exist. Must create. Going to remediation."
# exit 1 to remediate
exit 1
}## Remediation Script ##
# Username and Password
$username = "WindowsLocalAdmin"
$password = ConvertTo-SecureString "xxxxxxx" -AsPlainText -Force
# Creating the user
New-LocalUser -Name "$username" -Password $password -FullName "$username" -Description "LAPS Admin"Let’s create the remediation script and check its behavior.
At this step we have to select the frequency that our script is going to run. Daily is a good option but we could also choose weekly.
Now let’s wait for the script to be deployed and check the results….. Ok, the script is deployed.
If we check at the Remediation results we will find out that the administrator was created successfully.
Just to mention here that there is a specific error that may arise when trying to run the Get-LocalGroupMember command in Powershell. This is a common error from caused by empty sids in the Administrators Group. For more information check the below links:
- Get-LocalGroupMember generates error for Administrators group
- Fix Powershell error Get-LocalGroupMember Failed to compare two elements in the array.
- How to Find a User’s Security Identifier (SID) in Windows
Let’s have a look at the endpoint’s side now. We can see that our local admin is present.
Local Administrator through an Account protection profile
Another way to create an administrator account is through an Account protection profile. Just to mention here that this does not seem to work properly in conjunction with the LAPS policy, so I do not recommend it for our scenario (just presenting it for general information).
Head to “Endpoint security” and select “Account protection”. Click “Create Policy” and select “Local user group membership”.
Give a name and a description to your policy.
Select “Add” and choose the Administrators group and “Manual” selection type. Type your admin name, assign the policy to a group and create it.
Create LAPS Policy
Now that we have enabled LAPS from Azure AD and created the local admin to our endpoints let’s create and roll out the LAPS policy itself.
Head to “Account protection” and create a New “Local admin password solution (Windows LAPS)” profile.
Give a name and a description.
Now select the desired settings. Let’s choose to to Backup the password in active directory and set a specific password complexity. We can define many other settings such as password rotation period, password length, etc.. More details can be found here.
Assign the policy to the desired group and create it.
Results
After waiting for a while the LAPS policy will take effect and we will be able to check the results in the devices. If we open a device in Intune we can see that under “Local admin password” option a new record is shown.
If we click the “Show local administrator password” option we can see the password for our local admin for this endpoint.
As we can see here the password of the admin, the last password rotation date and the next password rotation date are shown. If we want to change the password sooner that the next rotation date we can select the “Rotate local admin password” option.
References and documentation: