PowerShell – Intune Local Administrator Password Solution (iLAPS)

If you have devices that is connected to an on-premise, you would certainly configure the Local Administrator Password Solution (LAPS), which allows unique password for each local administrator across the enterprise network.

Unfortunately this method only works when you have on-premise devices, but what about Azure AD Joined machines? – A short answer is “no”.

LAPS takes advantage of 2 attributes in the local Active Directory, these attributes are not available in Azure AD.

Therefor I have created a small application that mimic the same behavior for Azure AD devices, which I call “iLAPS” for Intune Local Administrator Password Solution.

There are some requirements before you can use this solution in your environment.

  • You need a Azure subscription with an storage account for BLOB and Azure Tables.
  • In this example we are using Intune, but you could also use some other mobile device management (MDM).
  • Your devices must run Windows 10 (haven’t tested previous Windows versions).

 

So how does it work?

If you take a look at the picture where the post title is, there is two flows.

The client part is installed on the device, and is responsible for changing the user password and storing it.

  1. Intune pushes a script to the managed Azure AD device.
  2. The device executes the script under “SYSTEM”.
  3. The script request the executable from the Azure BLOB storage.
  4. When the executable is downloaded the script proceeds by executing the program.
  5. The program does various checks, gather information and reset wanted local passwords.
  6. The gathered information with the newly created passwords will be transmitted securely with HTTPS to Azure Storage Table.

The administration part is just a tool to view the usernames and passwords:

  1. The help desk user runs the executable.
  2. The executable request data from Azure Storage Tables.
  3. Azure Storage Tables transmits usernames and passwords to the executable across with HTTPS for secure communications.

 

What about the code?

There are 3 pieces of scripts/executable in the solution, I will go through them on a high level. You can always study the code your self. I have tried to make the code easy to read and understand.

  • Install-iLAPS.ps1
    • This script is responsible for downloading and running the executable, it does nothing else.
  • Reset-LocalAdministratorPassword.ps1
    • This is where the “magic” happens. The program is reponsible for resetting the passwords and transporting the username/passwords safely.
  • Get-LocalAdministratorPassword.ps1
    • Tool for viewing the username/passwords.

 

This is just PowerShell that could easily be converted to an .exe (see PS2EXE-GUI). This way users are not able to see the vital logic and endpoints easily (Yes, you can use WireShark to sniff the traffic or a hex editor to see the content). Also the program uses symmetric encryption to hash the passwords, so even if you get unwanted access to Azure storage tables, you can’t see passwords in clear text.

The program will also install a schedule task that will change the password every 3 months. But only if it detects there is access to the internet.

Enough speaking, more code. See the components code below:

Install-iLAPS.ps1

Reset-LocalAdministratorPassword.ps1

Get-LocalAdministratorPassword.ps1

 

If you don’t know about Azure Storage Tables, Azure BLOB Storage and so on, here are some resources that might be helpful.

That’s all from now, if you need any further explanation please comment below!

Alex is a infrastructure consultant at Mansoft A/S. I have a Data Technician degree from Denmark, Copenhagen, where I also live and work. My goal is to be a MVP in digital technology industry. While I'm still in my younger years, I already have over 10+ years of experience in the field. I focuses on Microsoft technologies but I'm not limited to only that. I also does a lot of work in the Unix and Linux world.

4 Comments

  1. Ronny

    Good morning Alex,
    I’m starting to live the experience in Intune and would like to deploy Ilaps, would it be possible to send a detailed Tutorial on how to carry out the implementation?

    Thank you

    1. Alex Ø. T. Hansen

      Hi Ronny,

      Do you have access to Intune, Azure Storage Tables and a Windows 10 device?

      Here is a short summary, what you need to do:
      1. Create a table on Azure Storage, and generate a SAS key.
      More info: https://www.michaelcrump.net/azure-tips-and-tricks82/

      2. Edit the “Reset-LocalAdministratorPassword.ps1” with the newly create Azure Table information (table name, URI and SAS). Upload it to Azure blob storage.

      3. Edit “Install-iLAPS.ps1” with blob storage and SAS key, then upload it to Intune to push to devices.

      4. To view the passwords either view the raw data on the azure table, or edit “Get-LocalAdministratorPassword.ps1” with the information created above.

      Let me know if you need more detailed information.

  2. Jeremy Moskowitz

    So, when does the script actually apply / how does it re-trigger? I dont see that you’re making a scheduled task, so.. how does it fire off when the number of days expires?

    Also, what if the server is not available at that time? How does it re-try and how often?

    1. Alex Ø. T. Hansen

      Hi Jeremy,

      The password(s) is changed as soon as the script is pushed to the device from Intune. The script ‘Reset-LocalAdministratorPassword.ps1’ creates a schedule task that runs every 90 days.

      If the machine doesn’t have access to the internet and Azure Storage Table, it will not proceed changing passwords.

      You can edit the task schedule that is getting installed to suit your demands.

      Let me know if you have any further questions, or want me to demonstrate it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.