Local Administrator Password Solution with Proactive Remediations & using Power Virtual Agent for Secret Retrieval

A few months ago I was looking at Local Administrator Password Solution(LAPS) on-premises and looking at how to bring it to Intune and ran across this solution provided by Tim Hermie, Serverless LAPS with Intune, Function App and Key Vault (cloud-boy.be). This blog post is very thorough with this solution and it works flawlessly, if you are looking to utilize LAPS for Endpoint Manager take a look at this blog post.

One of the base features under LAPS is to rotate the password every x number of days. I don’t believe Proactive Remediations was created at the time of creating that post so one addition I made was implementing a Proactive Remediation. The Detection Script I created checks to see the last date the account was been changed, if the date is greater than 60 days it will then run the remediation script which is no different than the LAPS script pushed as the function App.

#Gets Current Date for later Date comparison and formats it to Month/Day/Year and saves it to a variable
$currentDateTime = Get-Date -Format "MM/dd/yyyy"

#Gets the "PasswordLastReset" Property Value for the user "Support" on the machine and saves it to a variable
$lastPasswordReset = Get-LocalUser Support | Select-Object -ExpandProperty PasswordLastSet | Out-String

#Formats the $PasswordLastReset to Month/Day/Year 
$lastPasswordReset = Get-Date $lastPasswordReset -Format "MM/dd/yyyy"

#The time span between the $PasswordLastReset and $CurrentDateTime are computed and saved to a variable called $timeSpan
$timeSpan = New-TimeSpan -Start $lastPasswordReset -End $currentDateTime

#Current Scneario: If $timeSpan is greater that 60 Days then Remediation is required, else then Remediation is not Required
if($timeSpan.Days -ge 60)
    Write-Host "Remediation Required"
    Exit 1
    Write-Host "Remediation Not Required"    
    Exit 0

Working for a Global company it was quite an annoyance trying to ensure that I am targeting all time zones. The best course of action was to simply deploy it every 6 hours, this way the device has four chances in a day to get it.

LAPS on-prem also comes with a .exe to retrieve the key, unfortunately, since all of this is built out of the box for Intune this also has to be made out of the box. The Key Vault in Azure doesn’t have a search function so it makes retrieving the key a little difficult, additionally, if you have your Support/ServiceDesk team retrieving these keys you may want an easier and safer way to access only what they need. For this, you can always use a script or build a Form and share it with them to retrieve the secret from Azure’s Key Vault. The only downside to this is you have to check access, bug check, ensure they run the script properly, etc. Instead, you can utilize Power Virtual Agent/Teams Bot to retrieve the key, it’s easy to add, very fast, and best of all you can audit it.

Once the topic gets triggered the user is prompted for the computerName of the machine which is tied to how the secrets are stored in the Key Vault.

Power Virtual Agent’s are very lightweight, but get very powerful with the ability to call Flow Actions. This Flow is very simple because since they have an action out of the box for Get Secret, from there it is just inputting the variables.

When making this you will want to test your bot with yourself and several other people if you plan on modifying security permissions.

My current plan for this platform is to add more topics to the bit and make it an easy use tool for support. I’ve thought about adding:

  • Wipe Device
  • Bitlocker Key retrieval
  • Device Info

I plan on making an updated post to a more finished product, but this gives you a great preview if you are interested in adding something like this.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s