MSEndpointMgr

Use a Scheduled Task to Rotate Passwords for CloudLAPS

Introduction

If you haven’t seen it yet, CloudLAPS is a community developed solution, maintained by Nickolaj Andersen from MSEndpointMgr including community members Thomas Kurth (@ThomasKurth_ch), Maurice Daly (@modaly_it) and Simon Wåhlin (@SimonWahlin)

It is, quite simply, an awesome Local Administrator Password Solution (LAPS) for Azure AD-Joined devices

Proactive Remediations

CloudLAPS is suitable for organisations of all sizes but when we speak to smaller companies, Microsoft licencing sometimes becomes a roadblock to using the solution. The daily rotation of the Local Admin password is managed by a Proactive Remediation. As well as an Intune licence, the Proactive Remediations feature in Endpoint Analytics requires one of the following licence SKU’s:-

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows 10/11 Virtual Desktop Access (VDA) per user

This is often a non-starter for companies using Business Premium Licensing. They simply won’t upgrade to a higher SKU just to take advantage of Proactive Remediations. The community has been vocal about the licence requirements, many of us believe it should also be included in the Business Premium SKU – but that’s a battle for another day

Rotating Passwords a Different Way

Creativity spills over in buckets in the MSEndpointMgr team and Maurice Daly had a great idea. Could we take the Proactive Remediation scripts and rotate the passwords another way – perhaps as a scheduled task? Could we deliver the solution without increasing licence costs for smaller companies? Challenge accepted!

I decided to try and deliver the Proactive Remediation Script block using the PowerShell Scripts Feature in Intune. The idea was to save the script locally and use a Scheduled Task to call the script to Rotate the passwords

Read more on PowerShell Scripts in Intune here:-

https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension

Solution Overview

At a high level, here is what the solution will do:-

  1. Push a PowerShell Script from Intune using the PowerShell Scripts feature
  2. Use Nickolaj’s Detection and Remediation Scripts and put them into a Script Block
  3. A folder is created on the Client Device and a script is created from the Script Block
  4. The ACL of the script is modified so BUILTIN\USERS does not have access
  5. A Scheduled Task is created to run the script, daily, in the SYSTEM context

You can find the Script for this solution below:-

https://github.com/MSEndpointMgr/Intune/blob/master/Windows%2010/Install-CloudLAPS_SchTask.ps1

The Function Install-CloudLAPSClient can be found at the bottom of the script. You can change the destination location and script name using the variables $CloudLAPSClientPath and $CloudLAPSClientScript in the function

Script Destination

You can also modify the Scheduled Task to run at a different interval, the default interval is Daily

Scheduled Task

Once the script is delivered, you will see the following folder structure created

Installed Solution

The following Scheduled Task will be created

Scheduled Task

The Scheduled Task will run immediately, you can view the status of the rotation attempt in the Event Viewer

CloudLAPS-Client evtx

Log Analytics / Dashboard Confirmation

Looking into the CloudLAPSClient log in Log Analytics we can also see the events coming through from the client:-

Log Analytics

The rotations can also be verified by monitoring the Azure Function App function SetSecret

SetSecret

and the function SendClientEvent will show the client event logs being uploaded (if upload of client logs is enabled)

SendClientEvent

For simplicity we can also see this level of detail in the CloudLAPS dashboard:-

Dashboard

Function App URI

Don’t forget to modify the Function App URI’s in the script to match the URI’s in your Azure Function App – as documented (very clearly) below:-

https://msendpointmgr.com/cloudlaps/#8-configure-proactive-remediation-script

Function App URI’s

Summary

CloudLAPS is an awesome community solution. Delivering the password rotation part of the solution using the PowerShell Scripts feature in Intune now makes it really accessible to companies on the Business Premium SKU

Thanks to Maurice for the initial idea, team work made this one happen! 💪

Ben Whitmore

Microsoft MVP - Enterprise Mobility, Microsoft Certified Trainer and Microsoft 365 Certified: Enterprise Administrator Expert. Community driven and passionate Customer Engineer Lead at Patch My PC with over 2 decades of experience in driving adoption and technology change within the Enterprise.

Maurice Daly

Maurice has been working in the IT industry for the past 20 years and currently working in the role of Senior Cloud Architect with CloudWay. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017. Most recently his focus has been on automation of deployment tasks, creating and sharing PowerShell scripts and other content to help others streamline their deployment processes.

Add comment

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.