How to use Windows LAPS – PowerShell

Last Updated on June 19, 2023 by Michael Morten Sonne

Intoduction

This is in relation to my last post Windows LAPS and management through Microsoft Intune – Blog – Sonne´s Cloud (sonnes.cloud) – but here we take a look into the PowerShell part of Windows LAPS!

First we need to get two items to use the MgGraph API to do some stuff, ant the is a ClientID of our application and your tenantID.

ClientID: Go the Azure Portal > Azure Active Directory > App Registrations and get the ID for your new created application

TenantID: You can either use this website (btw a nice tool), or go to the Azure Portal > Azure Active Directory and see it at the page there.

Get passwords in PowerShell

Next, using PowerShell and the information gathered above to sign into the Microsoft Graph API

Connect-MgGraph -Environment Global -TenantId 00caaaec-b1d5-4094-829a-a0e2dec71003 -ClientId  a33bbf12-2aec-44aa-6a8a-bb35ff5dffb4 -Scopes "Device.Read.All","DeviceLocalCredential.Read.All"

Note: If you granted the permission ‘DeviceLocalCredential.ReadBasic.All’ and not ‘DeviceLocalCredential.Read.All’ then replace the scope with ‘DeviceLocalCredential.ReadBasic.All’

When logging into the first time, you may need to accept the permission prompt – Concent on behaft of your organasation (and you need the right permissions to do that in your tenant).

Once it has authenticated you will be presented with a welcome message welcoming you to the Microsoft Graph API!

To get the LAPS password information of a device you will need the device ID (found in the Azure AD Portal). Once you have the device ID, run the following command

Get-LapsAADPassword -DeviceIds 5cebb25e-a20b-46d6-82fb-1ab0c74c9b1b

Notice how the information returned does not include the device password itself. If you granted the permission ‘DeviceLocalCredential.Read.All’ you can run the following command to include the LAPS password for the device to use.

Get-LapsAADPassword -DeviceIds 8155b933-9cfa-4d86-ba50-dd72ca6579db -IncludePasswords -AsPlainText

You can get a list of passwords for the devices history this way also.

Get-LapsAADPassword -DeviceIds 5cebb25e-a20b-46d6-82fb-1ab0c74c9b1b -IncludePasswords -AsPlainText -IncludeHistory

You can see the full documentation here: https://learn.microsoft.com/en-us/powershell/module/laps/

Rotate passwords

Intune portal

In the Intune Portal, click the device and then click the ellipses in the device overview. From there click Rotate local admin password.

Once the endpoint reboots, the password will be changed.

PowerShell

The cmdlet Reset-LapsPassword is ran locally against a machine that is using Windows LAPS.

This command need to be run with Administrator priviliges to work.

Force manual a policy proceessing

Windows LAPS processes the currently active policy on a periodic basis (every hour). To avoid waiting after you apply the policy, you can run the Invoke-LapsPolicyProcessing PowerShell cmdlet (does require Administrator rights).

Troubleshooting

The Get-LapsDiagnostics PowerShell cmdlet collects Windows Local Administrator Password Solution (LAPS) logs and tracing from the local machine. Included in this zip is the current device configuration and an overview of the LAPS Windows Event Logs.

Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍

Stay tuned for the new post about something cool! 🥳

Total
0
Shares
Previous Article

Find Active Directory accounts configured to use DES and RC4 Kerberos encryption (is insecure!)

Next Article

Configure Exchange Online Certificate Based Authentication for unattended scripts

Related Posts

Discover more from Sonne´s Cloud

Subscribe now to keep reading and get access to the full archive 🤝🧑‍💻

Join 20 other subscribers