Last Updated on June 19, 2023 by Michael Morten Sonne
Intoduction
This is in relation to my last post Windows LAPS and management through Microsoft Intune – Blog – Sonne´s Cloud (sonnes.cloud) – but here we take a look into the PowerShell part of Windows LAPS!
First we need to get two items to use the MgGraph API to do some stuff, ant the is a ClientID of our application and your tenantID.
ClientID: Go the Azure Portal > Azure Active Directory > App Registrations and get the ID for your new created application
TenantID: You can either use this website (btw a nice tool), or go to the Azure Portal > Azure Active Directory and see it at the page there.
Get passwords in PowerShell
Next, using PowerShell and the information gathered above to sign into the Microsoft Graph API
Connect-MgGraph -Environment Global -TenantId 00caaaec-b1d5-4094-829a-a0e2dec71003 -ClientId a33bbf12-2aec-44aa-6a8a-bb35ff5dffb4 -Scopes "Device.Read.All","DeviceLocalCredential.Read.All"
Note: If you granted the permission ‘DeviceLocalCredential.ReadBasic.All’ and not ‘DeviceLocalCredential.Read.All’ then replace the scope with ‘DeviceLocalCredential.ReadBasic.All’
When logging into the first time, you may need to accept the permission prompt – Concent on behaft of your organasation (and you need the right permissions to do that in your tenant).
Once it has authenticated you will be presented with a welcome message welcoming you to the Microsoft Graph API!
To get the LAPS password information of a device you will need the device ID (found in the Azure AD Portal). Once you have the device ID, run the following command
Get-LapsAADPassword -DeviceIds 5cebb25e-a20b-46d6-82fb-1ab0c74c9b1b
Notice how the information returned does not include the device password itself. If you granted the permission ‘DeviceLocalCredential.Read.All’ you can run the following command to include the LAPS password for the device to use.
Get-LapsAADPassword -DeviceIds 8155b933-9cfa-4d86-ba50-dd72ca6579db -IncludePasswords -AsPlainText
You can get a list of passwords for the devices history this way also.
Get-LapsAADPassword -DeviceIds 5cebb25e-a20b-46d6-82fb-1ab0c74c9b1b -IncludePasswords -AsPlainText -IncludeHistory
You can see the full documentation here: https://learn.microsoft.com/en-us/powershell/module/laps/
Rotate passwords
Intune portal
In the Intune Portal, click the device and then click the ellipses in the device overview. From there click Rotate local admin password.
Once the endpoint reboots, the password will be changed.
PowerShell
The cmdlet Reset-LapsPassword is ran locally against a machine that is using Windows LAPS.
This command need to be run with Administrator priviliges to work.
Force manual a policy proceessing
Windows LAPS processes the currently active policy on a periodic basis (every hour). To avoid waiting after you apply the policy, you can run the Invoke-LapsPolicyProcessing
PowerShell cmdlet (does require Administrator rights).
Troubleshooting
The Get-LapsDiagnostics PowerShell cmdlet collects Windows Local Administrator Password Solution (LAPS) logs and tracing from the local machine. Included in this zip is the current device configuration and an overview of the LAPS Windows Event Logs.
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Stay tuned for the new post about something cool! 🥳