PowerShell – Intune Local Administrator Password Solution (iLAPS)

If you have devices that is connected to an on-premise, you would certainly configure the Local Administrator Password Solution (LAPS), which allows unique password for each local administrator across the enterprise network.

Unfortunately this method only works when you have on-premise devices, but what about Azure AD Joined machines? – A short answer is “no”.

LAPS takes advantage of 2 attributes in the local Active Directory, these attributes are not available in Azure AD.

Therefor I have created a small application that mimic the same behavior for Azure AD devices, which I call “iLAPS” for Intune Local Administrator Password Solution.

There are some requirements before you can use this solution in your environment.

  • You need a Azure subscription with an storage account for BLOB and Azure Tables.
  • In this example we are using Intune, but you could also use some other mobile device management (MDM).
  • Your devices must run Windows 10 (haven’t tested previous Windows versions).

 

So how does it work?

If you take a look at the picture where the post title is, there is two flows.

The client part is installed on the device, and is responsible for changing the user password and storing it.

  1. Intune pushes a script to the managed Azure AD device.
  2. The device executes the script under “SYSTEM”.
  3. The script request the executable from the Azure BLOB storage.
  4. When the executable is downloaded the script proceeds by executing the program.
  5. The program does various checks, gather information and reset wanted local passwords.
  6. The gathered information with the newly created passwords will be transmitted securely with HTTPS to Azure Storage Table.

The administration part is just a tool to view the usernames and passwords:

  1. The help desk user runs the executable.
  2. The executable request data from Azure Storage Tables.
  3. Azure Storage Tables transmits usernames and passwords to the executable across with HTTPS for secure communications.

 

What about the code?

There are 3 pieces of scripts/executable in the solution, I will go through them on a high level. You can always study the code your self. I have tried to make the code easy to read and understand.

  • Install-iLAPS.ps1
    • This script is responsible for downloading and running the executable, it does nothing else.
  • Reset-LocalAdministratorPassword.ps1
    • This is where the “magic” happens. The program is reponsible for resetting the passwords and transporting the username/passwords safely.
  • Get-LocalAdministratorPassword.ps1
    • Tool for viewing the username/passwords.

 

This is just PowerShell that could easily be converted to an .exe (see PS2EXE-GUI). This way users are not able to see the vital logic and endpoints easily (Yes, you can use WireShark to sniff the traffic or a hex editor to see the content). Also the program uses symmetric encryption to hash the passwords, so even if you get unwanted access to Azure storage tables, you can’t see passwords in clear text.

The program will also install a schedule task that will change the password every 3 months. But only if it detects there is access to the internet.

Enough speaking, more code. See the components code below:

Install-iLAPS.ps1

Reset-LocalAdministratorPassword.ps1

Get-LocalAdministratorPassword.ps1

 

If you don’t know about Azure Storage Tables, Azure BLOB Storage and so on, here are some resources that might be helpful.

That’s all from now, if you need any further explanation please comment below!

Experienced advanced operations engineer with a demonstrated history of working in the information technology and services industry. Skilled in Windows Server, Azure, Ethical Hacking, Office 365, Exchange, Jenkins, SCCM, Octopus Deploy and PowerShell to name a few. Strong engineering professional with a big passion for knowledge.

24 Comments

  1. Ronny

    Good morning Alex,
    I’m starting to live the experience in Intune and would like to deploy Ilaps, would it be possible to send a detailed Tutorial on how to carry out the implementation?

    Thank you

    1. Alex Ø. T. Hansen

      Hi Ronny,

      Do you have access to Intune, Azure Storage Tables and a Windows 10 device?

      Here is a short summary, what you need to do:
      1. Create a table on Azure Storage, and generate a SAS key.
      More info: https://www.michaelcrump.net/azure-tips-and-tricks82/

      2. Edit the “Reset-LocalAdministratorPassword.ps1” with the newly create Azure Table information (table name, URI and SAS). Upload it to Azure blob storage.

      3. Edit “Install-iLAPS.ps1” with blob storage and SAS key, then upload it to Intune to push to devices.

      4. To view the passwords either view the raw data on the azure table, or edit “Get-LocalAdministratorPassword.ps1” with the information created above.

      Let me know if you need more detailed information.

  2. Jeremy Moskowitz

    So, when does the script actually apply / how does it re-trigger? I dont see that you’re making a scheduled task, so.. how does it fire off when the number of days expires?

    Also, what if the server is not available at that time? How does it re-try and how often?

    1. Alex Ø. T. Hansen

      Hi Jeremy,

      The password(s) is changed as soon as the script is pushed to the device from Intune. The script ‘Reset-LocalAdministratorPassword.ps1’ creates a schedule task that runs every 90 days.

      If the machine doesn’t have access to the internet and Azure Storage Table, it will not proceed changing passwords.

      You can edit the task schedule that is getting installed to suit your demands.

      Let me know if you have any further questions, or want me to demonstrate it.

  3. Tausif

    This is excellent work, well done. We use LAPS and are now moving to modern management and i thought i’d have to do something like this when i stumbled upon this. You saved me a lot of time.

  4. JDavis

    First of all this is great. Thank you for letting others use it. Since it was published about a year ago I thought I would ask if there are any tweaks or changes you would suggest since it was originally published?

  5. AP

    Alex,
    I really appreciate this post. This tool will definitely help me out as we’re looking to move off of on-prem laps to azad bound devices with intune. I have some question on implementing this myself.

    * Install–iLAPS.ps1\$AzureFileShare param: is this the container for the blob storage account where Reset-LocalAdministratorPassword.ps1 is stored?

    * are we to change the $secretKey param in Get-LocalAdministratorPassword.ps1/Reset-LocalAdministratorPassword.ps1?

    * What are the recommended settings you’re using for both the table storage and blob storage account?

    Thank you for all of this!

  6. sabari

    as check the password is added to the table can we able to update it in the storage table??

  7. EvM

    Nice solution, I have the same comment as “sabari”, is it possible to update the storage table? Now every time the password is changed, a new entry is created in the Azure storage table.

  8. Pingback: Challenges while managing administrative privileges on your Azure AD joined Windows 10 devices | Modern Workplace Blog

  9. EvM

    Hi Alex,

    I just read the ResetLaps script and was looking for the code to modify an existing entry instead of inserting one. I think I had to modify the Add-AzureTableData function in this case?
    I am not a Powershell expert, maybe you can give me tip for the right direction.

    1. Peter Hussle

      Does anyone has done the updating insted of creating an new entry yet? I would like to know how you did that.

      1. Alex Ø. T. Hansen

        Hi Peter,
        Instead of pushing the data to Azure Tables I would suggest push it to a blob storage. Then make a function that picks up this blob file (Azure Function) and insert it in a database or keyvault.

  10. Ross

    This solution looks really useful. Two questions:

    1. Does the password have to be written to an Azure Table, or could we use an API to write it to somewhere like LastPass?
    2. Does the managed computer have to be Azure AD Joined or would it work for it to be Hybrid Joined?

  11. Frank

    I am running into an issue where the scripts work fine when I run them manually, but when I deploy through Intune, the script doesn’t actually change the password, it only writes the intended password to BLOB storage, but the passwords remain unchanged on the PC. Any ideas?

  12. Jack

    Great guide and method Alex.

    Any thoughts to using Azure Key Vault for storing the passwords more securely than Azure Tables? Interested for your take on this.

    Thanks,

  13. lilly

    Hi Alex,
    i got below error for ilpas.ps1 , please suggest what must be modified in the script.
    Invoke-WebRequest :

    ResourceNotFound

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.