- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
The Local Administrator Password Solution (LAPS) is a Microsoft tool for managing local account passwords on Windows servers and clients. For more information please read our LAPS series.
When working with LAPS, it is important to know if it is actually working and really applies the password changes. Note that LAPS only logs failures to the local event log.
Things we need to monitor:
- Installation of the LAPS client-side extension .MSI
- Applying the Group Policy settings
- Changing the local account's password within the timeframe configured
Creating a configuration item to check LAPS health
We start with creating a new configuration item in the Configuration Manager console and call it "LAPS Health." You also have to select the options highlighted below.
In the next dialog, we choose how to detect whether LAPS is in fact installed. Browse to the .MSI file and import the product code. (I only have x64 OSes in my environment. If your network has 32-bit Windows systems, you need one of the other two options. This is because the Windows Installer product code is not the same for the x86 and x64 clients.)
Now that we know the application is installed, we can add settings we want to evaluate. We will work with a registry check and a PowerShell script. First, we will evaluate existence of the registry keys that the Group Policy Object (GPO) wrote. In the dialog window, click New.
Give the setting a name, and then select Browse. You don't need to fill in any more information, as the tool will add it when you browse to a computer with the Group Policy applied.
Then you have to locate a machine where the registry setting is present and select the options as the screenshot below shows.
Now click OK. You will see this fills the previous dialog with the information needed.
This also creates the settings and the compliance rule for us. Click OK again, which brings you back to the dialog where you can create an additional rule.
To add the PowerShell script to evaluate the LAPS managed account name, we select New.
To check the state of the local administrator account, we use a PowerShell script with the security identifier (SID) of the local administrator account. We configure in the script how old the password can be in days before the system should flag it as non-compliant.
$Passwordage = 15 function Get-SWLocalPasswordLastSet { $acc = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True' And Sid like '%-500'" $user = ([adsi]"WinNT://./$($acc.Name),user") $pwAge = $user.PasswordAge.Value return (Get-Date).AddSeconds(-$pwAge) } $strDate=get-SWLocalPasswordLastSet $StrDays= (New-TimeSpan $StrDate $(Get-Date)).Days Return ($StrDays -le $Passwordage)
If you target a different account, you can use the sample script below and replace "UberAdmin" with your managed account.
$Passwordage = 15 $accName = "UberAdmin" If ($Pwage = ([adsi]"WinNT://./$accName").PasswordAge.value) { $strDate=(Get-Date).AddSeconds(-$pwAge) $StrDays= (New-TimeSpan $StrDate $(Get-Date)).Days return ($StrDays -le $Passwordage) } return $false
We then need to add a compliance rule to our configuration item. Select the Compliance Rules tab and click New.
Change the settings as displayed below to set the compliance to "critical" if the PowerShell script doesn't return "True."
Then you can click OK.
Now click Next twice, as we already have created our compliance rules. We then select the platforms where we want to run this. Here you could choose only 64-bit systems. In my example, I use the product code like in the beginning.
We now have to verify whether the client settings in Configuration Manager are configured correctly so we can execute the PowerShell script.
Configuring the PowerShell execution policy
To do this, we have to verify that the PowerShell execution policy in the Configuration Manager client agent settings is set to Bypass.
Creating and deploying the LAPS Health baseline
If you already have a baseline that you deploy to measure other things on your clients, you could just add the configuration item we created above to that baseline or create and deploy a new one.
Select Create Configuration Baseline in the Configuration Manager console, give it a name, and select Add > Configuration Items.
Then we add the configuration item we created earlier.
Then click OK twice, and you have created your baseline.
Now we need to deploy our configuration baseline to a collection. Here we configure the alert percentage threshold and the frequency for evaluating the baseline. Maybe the 90% threshold I used in my example is not high enough considering we are dealing with a security setting here. Mark the newly created configuration baseline in the admin console, and select Deploy. Next you have to choose a collection to which you want to deploy the configuration baseline.
Subscribe to 4sysops newsletter!
Now we can sit back and wait for the clients to start evaluating our configuration baseline and report back.
Thanks man! Good job. I am looking this.. it’s interesting.
Glad to hear that! Making sure that the clients actually are configured as we want is and will be more and more important!
Regards,
Jörgen
Another alternative is to use the discovery to pick up the last time the password was changed and create a report for anything that doesn’t adhere to the password change window.
Hi, John
That will work to, I wanted it in my “Workstaton Baseline” together with all the other checks I do like, Applocker configured and running, Credential Guard running, Bitlocker running. Then I can get alerts on any machine slipping from the security baseline settings…
Regards,
Jörgen
We are using LAPS. Great tool. Are there any issues with having the local admin password never expires box unchecked?
Hello Jörgen,
Did everything according to your Blog, but I keep beeing non-compliant :(.
Password age:
GPO: 30 days (all default)
Script: 15 days (as per your script)
Any idea ?
Thank you,
Michael
Hello Jörgen,
Did everything according to your Blog, but I keep beeing non-compliant :(.
Password age:
GPO: 30 days (all default)
Script: 15 days (as per your script)
Any idea ?
Thank you,
Michael
Hi Jörgen,
Now all good, nice and easy: warm thank you for this great tip.
Was checking wrong version of the MSI… Noooooooooooooo !!!
Sorry, sorry, sorry,
Best regards,
Michael
Hi,
Great article…. I was trying to do LAPS expiry date and without PWD PS Module it was hard.. Your script helped
Hello
How to deal with x32 and x64 package ?
Regards
Will this return a "non-compliant" result if the application isn't installed at all? If I wanted to make a compliance item to do that, would I just do the application detection and not make any rules?