Introduction
If you haven’t seen it yet, CloudLAPS is a community developed solution, maintained by Nickolaj Andersen from MSEndpointMgr including community members Thomas Kurth (@ThomasKurth_ch), Maurice Daly (@modaly_it) and Simon Wåhlin (@SimonWahlin)
Proactive Remediations
CloudLAPS is suitable for organisations of all sizes but when we speak to smaller companies, Microsoft licencing sometimes becomes a roadblock to using the solution. The daily rotation of the Local Admin password is managed by a Proactive Remediation. As well as an Intune licence, the Proactive Remediations feature in Endpoint Analytics requires one of the following licence SKU’s:-
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10/11 Virtual Desktop Access (VDA) per user
This is often a non-starter for companies using Business Premium Licensing. They simply won’t upgrade to a higher SKU just to take advantage of Proactive Remediations. The community has been vocal about the licence requirements, many of us believe it should also be included in the Business Premium SKU – but that’s a battle for another day
Rotating Passwords a Different Way
Creativity spills over in buckets in the MSEndpointMgr team and Maurice Daly had a great idea. Could we take the Proactive Remediation scripts and rotate the passwords another way – perhaps as a scheduled task? Could we deliver the solution without increasing licence costs for smaller companies? Challenge accepted!
I decided to try and deliver the Proactive Remediation Script block using the PowerShell Scripts Feature in Intune. The idea was to save the script locally and use a Scheduled Task to call the script to Rotate the passwords
Read more on PowerShell Scripts in Intune here:-
https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
Solution Overview
At a high level, here is what the solution will do:-
- Push a PowerShell Script from Intune using the PowerShell Scripts feature
- Use Nickolaj’s Detection and Remediation Scripts and put them into a Script Block
- A folder is created on the Client Device and a script is created from the Script Block
- The ACL of the script is modified so BUILTIN\USERS does not have access
- A Scheduled Task is created to run the script, daily, in the SYSTEM context
You can find the Script for this solution below:-
https://github.com/MSEndpointMgr/Intune/blob/master/Windows%2010/Install-CloudLAPS_SchTask.ps1
The Function Install-CloudLAPSClient can be found at the bottom of the script. You can change the destination location and script name using the variables $CloudLAPSClientPath and $CloudLAPSClientScript in the function
You can also modify the Scheduled Task to run at a different interval, the default interval is Daily
Once the script is delivered, you will see the following folder structure created
The following Scheduled Task will be created
The Scheduled Task will run immediately, you can view the status of the rotation attempt in the Event Viewer
Log Analytics / Dashboard Confirmation
Looking into the CloudLAPSClient log in Log Analytics we can also see the events coming through from the client:-
The rotations can also be verified by monitoring the Azure Function App function SetSecret
and the function SendClientEvent will show the client event logs being uploaded (if upload of client logs is enabled)
For simplicity we can also see this level of detail in the CloudLAPS dashboard:-
Function App URI
Don’t forget to modify the Function App URI’s in the script to match the URI’s in your Azure Function App – as documented (very clearly) below:-
https://msendpointmgr.com/cloudlaps/#8-configure-proactive-remediation-script
Summary
CloudLAPS is an awesome community solution. Delivering the password rotation part of the solution using the PowerShell Scripts feature in Intune now makes it really accessible to companies on the Business Premium SKU
Thanks to Maurice for the initial idea, team work made this one happen! 💪
Add comment