LAPS is a solution that makes sure you have unique administrator passwords on each device which will be changed automatically after a certain time period has passed. It makes sure that when a device is compromised, the attacker has no access to all devices in the company domain. So, life is simple. You make choices and you’ll implement LAPS.

LAPS is very easy to deploy within an existing active directory. When going full Microsoft 365, you still need LAPS. There are many Azure AD LAPS tools out there and some of them are pretty good. But if you’ve read any my blogs, you’ll know I want a fast and simple solution…

For this solution you’ll need 3 things.

  1. Windows app (win32)
  2. Baseline AppLocker deployed to block registry tools
  3. A remote management tool for your device

1. Win32 app: Instead of creating a function app and key vault etc. I needed to create an Intunewinapp. (which can be automatically deployed to new tenants). Convert the PowerShell script to an intunewinapp to deploy it to Intune. You can change the $registrypath variable to your liking.

$content = @'
function Get-RandomCharacters($length, $characters) {
    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
    $private:ofs=""
    return [String]$characters[$random]
}
 
function Scramble-String([string]$inputString){     
    $characterArray = $inputString.ToCharArray()   
    $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length     
    $outputString = -join $scrambledStringArray
    return $outputString 
}
 
$password = Get-RandomCharacters -length 8 -characters  'abcdefghiklmnoprstuvwxyz'
$password += Get-RandomCharacters -length 2 -characters  'ABCDEFGHKLMNOPRSTUVWXYZ'
$password += Get-RandomCharacters -length 3 -characters '1234567890'
$password += Get-RandomCharacters -length 1 -characters '!$%&/()=?@#*+'

net user admin $password

$registryPath = "HKLM:\SOFTWARE\Microsoft\LAPS"
New-Item -Path $registryPath
$name = "lapsww"
$value = $password
New-ItemProperty -Path $registryPath -Name $name -Value $value -Force | Out-Null

#Change Register permissions
$path = 'HKLM:\software\microsoft\dclaps'
#breaks inheritens.
$acl = (Get-Item $path).GetAccessControl('Access')
$acl.SetAccessRuleProtection($true,$true)
set-acl $path -AclObject $acl
#removes all access rules based on 'BUILTIN\Users'
$acl = (Get-Item $path).GetAccessControl('Access')
$acl.Access |where {$_.IdentityReference -eq 'BUILTIN\Users'} |%{$acl.RemoveAccessRule($_)}
set-acl $path -AclObject $acl

'@


# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\rotate.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false
 
# register script as scheduled task
$Time = New-ScheduledTaskTrigger -At 11:00AM -Weekly -WeeksInterval 4 -DaysOfWeek Monday
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\rotate.ps1`""
Register-ScheduledTask -TaskName "Rotate" -Trigger $Time -User $User -Action $Action -Force 
Set-ScheduledTask -taskname "Rotate" -Settings $(New-ScheduledTaskSettingsSet -StartWhenAvailable -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)
Start-ScheduledTask -TaskName "Rotate"
2. You’ll need a baseline AppLocker policy to prevent registry tools. When deploying this solution, the password will be put in a registry key on the local device. You don’t want the user to be able to search for the password, do you?

3. RMM tool: In the first step, we made sure the admin password is changed and noted in a registry key on the local device. Now, we want to able to read this key with an RMM tool. For example, here is a PowerShell (check) script you can push to your devices when using Solarwinds/NABLE RMM. With Solarwinds you can automatically apply a template with this check in it when a new device is enrolled!

$regPath = "HKLM:\SOFTWARE\Microsoft\DCLAPS"
$regVal = "lapsww"
try{
$regData = Get-ItemProperty $regPath -Name $regVal -ErrorAction Stop
if(($regData.$regVal) -ne 0)
{
Write-Output $regdata.lapsww
#Exit 1001
}
else
{
Write-Output $regdata
#Exit 0
}
}
catch
{
Write-Warning "Value Missing"
#Exit 1001
}

Conclusion

There should be no question why you need to implement LAPS and there are multiple ways to implement it. Of course, my solution may be not the best or fanciest. But hey? it could be the easiest and fastest one out there! You can enrol it within a few seconds (when you automated the whole Intune app deployment).

Also beware, this solution is version 1.0. There may improvements down the line.

UPDATE 15-07-2020: I changed the powershell script to make sure BUILTIN\Users is removed from the registry key ACL. So Only admin’s/system can read the key