MDM & GP Tips Blog

In my two previous blogs I outlined the improved features and capabilities of the latest version of LAPS that was introduced made available with the Windows Update released on April 11, 2023. The new version called Windows LAPS (that I refer to as LAPS2), addressed some of the limitations of the original version called Legacy LAPS (or LAPS1). Those who have relied on LAPS1 will certainly want to upgrade to the newest version but what happens when you bring LAPS2 into a LAPS1 environment? The short answer is that you cannot run both versions of LAPS on the same machine simultaneously. Any settings that are singular to one LAPS version are not accessible in the other one and vice versa.

When you bring LAPS2 into an environment that has preexisting instances of LAPS1 you have two options. Either delete all instances of LAPS1 before implementing LAPS2 or use legacy Microsoft LAPS emulation mode to accommodate both to some degree.

Legacy Microsoft LAPS Emulation Mode Limitations

The original LAPS was implemented by installing the Microsoft LAPS Group Policy Client Side Extension. It is that extension that retrieves the LAPS password information from AD and stores it in the computer’s local security database. You can detect whether a computer has the installed extension by looking for the following registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}

Once you deploy LAPS2 to a machine already running LAPS1, that computer is running in emulation mode. Legacy Microsoft LAPS emulation mode prevents both LAPS from running simultaneously as this would create a security risk. That means that while the computer has LAPS2 installed, it is still restricted to some of the limitations of LAPS1. This means that:

1. You can only store passwords to local AD as only LAPS2 supports Azure AD and local AD.

2. Passwords will be stored in clear-text form. LAPS1 does not support password encryption so while the newest version of LAPS does, you cannot take advantage of it.

3. The Windows Server Active Directory Users and Computer management console doesn't support reading or writing legacy Microsoft LAPS schema attributes.

4. You will not be able to use some of the newer LAPS2 scripts. For instance, cannot you use the

Set-LapsADPasswordExpirationTime cmdlet to modify the existing legacy LAPS password expiration attribute.

5. All Windows LAPS policy knobs that aren't supported by legacy Microsoft LAPS will default to their disabled or default settings.

Note that if you try to install LAPS1 on a machine that already has LAPS2, LAPS1 will be ignored. In other words, whichever version of LAPS is installed first takes precedence over the other.

You can tell if a computer is in emulation mode by going to Event Viewer and navigating to Application and Service Logs > Microsoft > Windows > LAPS > Operational and look for the 10023 event which will show Legacy LAPS as the policy source.

Switching from Emulation Mode

Once you have implemented LAPS2, you will want to eventually move on from emulation mode. You can disable Microsoft LAPS emulation mode by creating a REG_DWORD registry value named BackupDirectory under the:

HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config key

and set it to the value of zero. This will prevent LAPS2 from entering legacy Microsoft LAPS emulation mode regardless of whether the Windows LAPS CSE is installed or not.

Remember that the new Windows LAPS does not require you to install any type of CSE. Once a computer receives the April 2023 update and is joined to either Azure or Azure AD, it is LAPS2 capable. After that it just needs the LAPS policy to deliver the configured settings.

I am extending my focus on the new Windows LAPS or as I call it, LAPS2. LAPS2 is Microsoft’s newest release of its Local Administrator Solution which fixes some of the shortcomings of its initial release years ago which is now referred to as Legacy LAPS or LAPS1. In Part 1 of this series, we looked at how to implement LAPS2 and configure the new Group Policy settings for it. Today I am going to finish our discussion on implementing LAPS2 in a traditional AD environment.

The New PowerShell Scripts

The new LAPS introduces a new set of PowerShell scripts. To get the scripts you will need to add the new PowerShell module using the command: Get-Command -Module LAPS as shown below in the screenshot below.

Here are the scripts that you will find the most relevant:

Now let’s put two of these scripts into action. LAPS2 introduces new AD attributes but first you need to update the schema using the Update-LapsADSchema command in PowerShell as shown here.

Note that all domain controllers must have the KB5025229 update installed for the command to finish. If the command fails to complete, you can run the Update -LapsADSchema -Verbose command. You can then read the output to either confirm the completion of schema update or find out where the process is erroring out. The screenshot shows a portion of the output which in this case was completed in its entirety.

Next you need to grant permissions to the machines that will be updating their passwords. This is done by setting inheritable permission to the Organizational Unit(s) where the target machines reside using the Set-LapsADComputerSelfPermission command. In the example below I assigned the permission to the Servers OU.

If you don’t see the Distinguished Name in the output, then the command did not complete.

Once the PowerShell commands have been run, deploy your LAPS GPO and you should be good to go. You can confirm the GPO settings were implemented by going to Event Viewer and confirming it in your LAPS file. You can navigate there by going to:

 Application and Service Logs > Microsoft > Windows > LAPS > Operational.

The screenshot below shows that the LAPS policy has been successfully configured.

Now that the LAPS policy is implemented, its time to retrieve the passwords to login to the machines. There are two ways to do this. You can use the following command in PowerShell:

Get-LapADPassword -Identity Server2022 -AsPlainText as shown below.

You can also use Active Directory. Remember we updated the schema which created new AD attributes. Find the designated computer in Active Directory Users & Computers and view its properties. Then click on the LAPS tab to view the LAPS settings as shown below.

Note that you can also modify the expiration date for the LAPS generated password using this tab as shown here.

If you are having trouble getting LAPS to work properly here are two possible gotchas:

• Your LAPS password policy must be in line with your domain password policy. In other words, you cannot configure an 8-character password for LAPS if your domain requires a 10 character and you must enforce the same complexity requirements or greater.
• Be sure to reboot the computers that you are assigning the LAPS policy to.

Emulation Mode

If a machine has already been using the original LAPS (LAPS1) then the new features of LAPS2 will not be available to it. Running both versions within your environment is referred to as LAPS Emulation Mode.  If a LAPS2 policy is present on the machine, it will always take precedence, regardless of how it was applied. In other words, once a LAPS version is applied to a machine, the other one will not work. In our next installment I will discuss how to uninstall LAPS1 from your environment and escape this complexity.

Local Administrator Password Solution (LAPS) has been around for a while now. LAPS was released by Microsoft as a way for companies to avoid the practice of using a common password for all local administrator accounts. If a local administrator credential is compromised, a threat actor can then move laterally across your enterprise accessing one system after another using that single account.

LAPS acts as a type of password manager that issues a different password for a local administrator account on each designated device. That means if bad guys get a local password for one machine, they can’t get into another, so the breach is contained. Like a password manager, you don’t have to know the unique password for every local admin account because LAPS gives you a way to securely retrieve the password.

It would be nice if we didn’t need local administrator accounts at all, but unfortunately you can’t do everything through Group Policy, SCCM or an MDM. There is always going to be a task that calls for a support admin to log on to the machine to manually tweak something as an Admin... and that is where LAPS comes in. The original LAPS was a bolt on solution. You had to download the MSI from Microsoft and install it. The original release had a few shortcomings. The passwords could only be stored in Active Directory so those with Azure were out of luck. It also stored the password in plain text which leaves them potentially exposed.

The New LAPS

Microsoft just released the new version of LAPS in April 2023. It is designed to replace the original version which means we need a way to distinguish them both. Some refer to the original LAPS as “Legacy LAPS” but I prefer LAPS1. I will refer to the newest release as LAPS2 although Microsoft had named it Windows LAPS. One big differentiator is the fact that it also supports Azure Active Directory although it is currently only available in private preview. Since it isn’t universally available yet, we will focus on the new capabilities it brings to Windows Server Active Directory.

How to Get LAPS2

One difference right out of the gate is the fact that LAPS2 is natively integrated into Windows with KB5025229, OS Build 17763.4252 that was released on April 11, 2023. There’s nothing to manually download or install. Once the update is completed you need to retrieve the LAPS ADMX template file which will be located in Windows > PolicyDefinitions as shown in the screenshot below. Then just copy and paste the file in your central store. You will also need to copy the ADML file from your language folder, in my case, en-us.

I want to take a second to comment on a common misconception out there that Microsoft has abandoned on-prem AD and is focusing solely on the cloud. The release of LAPS2 demonstrates their continued commitment to investing in AD technology. There are thousands of enterprises out there that continue to use AD and LAPS2 helps to fill a critical security gap.

Implementing LAPS2 with Group Policy

KB5025299 adds a new Group Policy Object and AD schema attributes. If you are familiar with the LAPS1 then you were accustomed to navigating to Computer Configuration > Administrative Templates > LAPS where you had four settings to configure.

Well forget that path because LAPS2 settings are accessed by going to Computer Configuration > Administrative Templates > System > LAPS where we have more settings to choose from as shown below. To enable LAPS2 you must enable “Configure password backup policy.

It’s in this setting that you will choose your backup directory. In this case I chose Active Directory below.

The next step should be to specify the name of the local admin account that will be assigned the passwords as shown in the example below.

One new feature of LAPS2 is a configurable password history. This comes in handy if you need to restore a machine to a previous state in which the password was rotated. Group Policy lets you enable this feature and specify the size of your desired history (the maximum is 12) which I did below.

As mentioned, LAPS2 offers encryption to secure the passwords. This requires that you turn on the “Enable password encryption” setting. Another new feature is the ability to manage passwords for the Directory Service Restore Mode (DSRM) accounts. The “Enable password backup for DSRM accounts” setting has no effect unless the managed device is a domain controller and you have password encryption enabled. You can also configure “Post-authentication settings” to ensure that a password isn’t changed while a user is logged on by enforcing a delay or grace period after any successful login of a LAPS-managed account. When enabled, the policy allows you to state how long a grace period you want and select the designated action you want. In the example below I chose “Reset the password and logoff the managed account.”

In Part 2 of this discussion, we will look at the new PowerShell scripts that LAPS2 offers, the new LAPS property page in AD Users & Computers as well as how to operate LAPS and LAPS2 together.

You can use Intune to manage and deploy apps from the Microsoft Store to your managed devices. These include default store apps as well as apps that you upload to your Microsoft Store for Business or Education. While it has always been relatively easy to deploy apps in this manner, Intune just made it even easier.

To deploy Microsoft Store apps in Intune you go to Apps > All apps > Add and select the desired App type. In this example, I will select “Microsoft Store app (legacy)” to demonstrate the former way of configuring app deployment. This gets you to the following screen:

Here you need some required app details such as Name, Description, Publisher and Appstore URL. So how do you find the publisher and Appstore URL?

Let’s say I want to deploy Python 3.11 to a team of developers or student group.  To find the Appstore URL I will go to the Microsoft Store and search for Python as shown below where I will choose Python 3.11.

As you can see below, the app category is listed in the top left-hand corner. In the bottom right I will click the link for “Endpoint Manager” to get the Appstore URL.

Then simply copy the link as shown in the screenshot below.

I then paste the URL into the App Information page. Then assign the app to the designated groups and complete the creation wizard.

Now let’s add it again but this time I will choose “Microsoft Store app (new)” as the App type. That will bring me to the wizard screen once again as is shown below. Now in App information you need only click the Search hyperlink. I did a search for “Python” and selected Python 3.11.

You will then paste the URL into the App Information page. Then assign the app to the designated groups and complete the creation wizard.

Now let’s add it again but this time I will choose “Microsoft Store app (new)” as the App type. That will bring me to the wizard screen once again as is shown below. Now in App information you need only click the Search hyperlink. I did a search for “Python” and selected Python 3.11.

There is no need to surf the store itself or copy/paste links anymore. Again, finish out the creation wizard by assigning the app to your designated groups and you are done.

Some users will always try to get around the Windows setting restrictions you implement using Intune or Group Policy. A few will even attempt to reset their device. Denying standard users local admin rights is one way to prevent them from doing so using Recovery settings. That doesn’t prevent them from resetting their device using the Advanced Startup menu, however. There are several ways to access the Advanced Startup menu such as pressing the F8 key as the computer is booting up. From there you navigate to Troubleshoot > Reset this PC and make select the desired options such as “Keep my files” or choosing to remove everything. Besides the reset option, the Advanced Startup Menu gives users access to System Restore, Startup Repair, Command Prompt, and a few other things.

Fortunately, Intune provides a way to keep standard users out of this area. In Intune go to Devices > Configuration profiles > Create profile and select Windows 10 and later as the platform and Settings catalog as the profile type. Name the profile and go to Configuration Settings. Using the Settings picker do a search for “recovery” and choose the Security category and select both available options as shown in the screenshot below.

• Recovery Environment Authentication
• Recovery Environment Authentication (User)

Then assign the profile to your desired group(s) and wait for the profile to be delivered. Now when a user accesses the Advanced Startup Menu to do something such as resetting their device, they will be prompted to select a local admin account as shown in the picture below. In this case I am choosing the Tech Admin account.

The user is then prompted for the credentials of that account as shown here.

Unless the correct credentials are typed in, further access to the advanced startup options is not available.

We know the vulnerabilities of passwords today. User accounts are constantly under siege by credential stuffing attacks and malicious code and tools like key loggers that aim to capture passwords as users type them in. That’s why it is essential to support password authentication with some type of multifactor authentication such as a text messaging, authenticator apps or FIDO keys.

For Windows 10 and Windows 11, there are alternative sign-in methods available. For instance, biometric logons might be a good choice for those users that have laptops with built-in fingerprint sensors. Picture passwords may appeal to some organizations as an alternative. The Windows picture password sign-in requires a user to duplicate several gestures on a selected picture. Then again, those organizations that want to enforce standard desktop for all users may not want this option to be available. For users that always log onto the same computer, a PIN may be lucrative as a PIN is local to a specific device so a compromised pin is only good for its assigned device.

The point of this blog is just to show you how to enable/disable these alternatives using Group Policy or Intune. Let’s start with picture passwords. If you want to disable this option using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Logon and enable “Turn off picture password sign-in” as shown below. The PIN setting is in the same location. In the screenshot below, I have disabled both options.

You use the same Administrative Template path in for Intune as well. Create a configuration profile and select Windows 10 and later as the platform and Templates > Administrative templates as the profile. Then navigate to Computer Configuration > Administrative Templates > System > and enable Turn off picture password sign-in as shown in the screenshot below. Once again, the PIN setting is there as well.

For fingerprint scanning or other biometric authentication options, create a GPO and go to Computer Configuration > Windows Components > Biometrics and select “Allow the use of biometrics” and “Allow users to log on using biometrics.” In the screenshot below I have enabled both of these.

To manage biometric settings using Intune, create a configuration profile and select Windows 10 and later as the platform and Templates > Identity protection as shown below.

After naming the profile, go an enable “Configure Windows Hello for Business. This will then provide access to all of its category settings. Then select, “Allow biometric authentication” with the result looking like the screenshot below.

Nearby Sharing is a feature in Windows 10 and Windows 11 that allows you to transfer documents, pictures, and links to other compatible devices that are near each other using a combination of Bluetooth and wireless communication. It’s a great feature that fosters collaboration between team members. Maybe. So indeed, there are some instances in which you don’t want to allow this feature such as an educational environment where students are taking an online exam for instance. We will look at a couple of ways to disable this feature.

Nearby Sharing is found under Shared experiences in your system settings as shown below.

To manage Nearby Sharing using Group Policy, create a GPO and go to Computer Configuration > Policies > Administrative Templates > System\Group Policy > and disable “Continue experiences on this device” as shown in the screenshot below. When disabled, Windows device will not be discoverable by other devices and cannot participate in cross-device experiences.

If you want to use Intune, create a configuration profile, and select Windows 10 and later as the platform and choose Templates > Administrative templates as the profile. Then follow the same template path - Computer Configuration > Policies > Administrative Templates > System\Group Policy > and disable “Continue experiences on this device” as shown below.

Users will no longer be able to transfer files amongst each other on their enterprise devices.

Many people have a hard time parting with stuff. That’s why the self-storage industry is so successful regardless of the what the economy is doing. Just as a lot of the stuff contained in storage units will never be used again, there are probably some unused group policies that are still lingering on your servers taking up space and creating unnecessary clutter. A couple good examples are GPOs that have settings disabled or are no longer linked to anything.

You can disable/enable settings for any GPO in the Details tab in Group Policy Management Console. As shown below, you can disable computer configuration settings, user configuration settings, or all settings configured within the GPO.

Keep in mind that its best practice to only configure settings for one side or the other. A GPO that is configured on both sides should be split into two separate GPOs in the first place. Therefore, there’s no need to have one side disabled as shown below.

Disabling both sides of a GPO means that the GPO is essentially doing nothing. If these settings are no longer required, then they should be decommissioned entirely by deleting the GPO.

If you have a well-designed AD with a well-defined OU structure, you need only link your GPOs to an applicable OU and assign it to the Authenticated Users group. This makes security filtering easy and straight forward. Unlinking a GPO is the same as turning it off for a designated OU. A GPO that isn’t linked anywhere is probably one that is no longer needed such as the GPO shown in the screenshot below. In this case, this GPO could probably be decommissioned entirely.

There are some exceptions, however. For instance, you may use some GPOs for testing purposes that are only used for brief periods. You also may have some GPOs you only want turned on at various times of the year. An example might be a school system that enacts certain policies at the start or close of the school year only.

Remember that you must delete a GPO you must do so from the Group Policy Objects node where you can view all your GPOs in alphabetical order. Right clicking on a GPO link will only delete the link itself, not the GPO. Before you delete any GPO, make sure you have a backup of them just in case you find out down the road that you really do need that policy for something.

Anyone that works with Microsoft Intune has experienced this. You read about a newly released Intune preview feature that sounds enticing. You then logon to your Intune portal only to find its not there. What’s the deal?

Microsoft regularly releases new updates to the Intune platform at least once a month. Each service release includes new features, capabilities and bug fixes. Like regular Windows updates, these service releases are deployed using a phased approach. Not all tenants receive these service releases simultaneously, however. For instance, government related tenants are updated last. Some geographcial parts of the world receive them before others as well. This methodical approach is done to identify issues before being released to all Intune customers. If your Intune portal lacks a new feature you just read about, chances are it’s because you’re not running the latest Intune service release version yet.

The Tenant Status Page

There’s an easy way to find which service release version your Intune portal is currently running. Navigate to Tenant Administration and select Tenant Status. Here you will see the Service release version as shown in the screenshot below.

Here you will also find other information such as your Tenant name, Tenant Location, the number of licensed users present and the number of Intune enrolled devices. If you find that your Service release version doesn’t match up with the latest one you read about, just be patient and check back in a week.

Microsoft introduced a process called Local Security Authority (LSA) a while back for Windows 8.1. LSA performs security related tasks such as the verification of logon attempts and password changes. It also creates access tokens, enforces local security policies, and protects and adds security protection for stored credentials. With the growing threat landscape out there, it’s a good thing to enable for your Windows desktops and servers.

The good news is that LSA protection is enabled by default for devices running Windows 11, 22H2 that meet the following conditions:

• Windows 11, 22H2 was newly installed on the device and not upgraded from a previous release
• The device is enterprise joined be it AD domain joined, Azure AD domain joined or a hybrid configuration.

While Microsoft advocates enabling LSA across your enterprise, they recommend that you first identify all LSA plug-ins and drivers that are in use within your organization and ensure that they are digitally signed with a Microsoft certificate and perform as expected. You can refer to this document for more information.

As of right now, there is no way to enable/disable LSA using Intune. Your three available management options for now are Windows Security, the registry, and Group Policy.

Enabling LSA on a Local Device

If you just have a few computers to manage, you can enable them locally on the desktops themselves by going to Windows Security > Device security > Core isolation details and enable the toggle under the Local Security Authority protection section. In the screenshot below, LSA is currently disabled.

Registry

You can manage LSA through the registry, either using the local registry editor or a GPO using Group Policy Preferences. The required key path is as follows:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

If you want to enable LSA using Auditing mode, click on the LSA key and create a value called AuditLevel. Select REG_DWORD as the value type and type 00000008 in the value data box. This is a good option to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode.

To fully enable LSA, create a value key called RunAsPPL, choose REG_DWORD and type 00000001 as shown in the screenshot below.

You can create a GPO and use Group Policy Preferences to push out these registry values. Go to Computer Configuration > Preferences > Registry > right click and choose “New registry item” and input the required values as shown below.

Group Policy ADMX

You can enable/disable LSA using Group Policy as well. In Group Policy Management Editor go to Computer Configuration > Administrative Templates > System > Local Security Authority. The setting you want is “Configure LSASS to run as a protected process.” In the screenshot below you will notice a down arrow beside the setting title. The down arrow indicates that the setting is a preference setting and not stored in the typical group policy location in the registry.

Group Policy ADMX

You can enable/disable LSA using Group Policy as well. In Group Policy Management Editor go to Computer Configuration > Administrative Templates > System > Local Security Authority. The setting you want is “Configure LSASS to run as a protected process.” In the screenshot below you will notice a down arrow beside the setting title. The down arrow indicates that the setting is a preference setting and not stored in the typical group policy location in the registry.

Conclusion

Hackers are constantly trying to subvert the Windows logon process which is why you need to protect it from hackers as much as possible. LSA is a great out-of-the-box utility to help you achieve that.