With Jeremy Moskowitz
To consult about an on-site (Private) Group Policy class or the Group Policy Health Check, please call Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com
To purchase seats in a LIVE or ONLINE training class, contact Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com
Get serious, and perform “Best Practices” around Group Policy management. Take back control and get your IT life back!
|No Public Classes Scheduled|
Call if you have 3 or more people to help us get started! In the meantime, click here to checkout our Online Class
In my previous blog I showed how to setup LAPS for Azure AD. With everything configured correctly, now it is time to retrieve the password for the local administrator account that our policy addresses. To retrieve the password, go to your Azure portal and navigate to Devices > All Devices > Local administrator password recovery (Preview) and find the selected device. Click on Show local administrator password beside the listed device. Navigate to the right and either show the password or click the copy button as shown in the screenshot below.
Armed with the specified password, you can now log into the device using the local administrator credentials and execute tasks that necessitate local admin privileges.
In an earlier blog I talked about Windows LAPS (LAPS2) that was released in April 2023. It was designed to replace the original version of LAPS, now known as Legacy LAPS. We explored its integration in an on-prem AD setting across multiple articles. Today, let's pivot to applying it within the Azure AD framework.
Windows LAPS is designed to help bolster security by minimizing the risk associated with compromised local administrator passwords that could grant unwarranted access to networked Windows devices. A prevalent scenario in many enterprises is the use of a uniform local admin account across all Windows endpoints, characterized by an identical username and password. This poses a significant security gap because if a single account is breached, a threat actor could potentially gain administrative access to every interconnected device. In the case of a school district, once one student gets a hold of the local admin credentials, it doesn’t take long until the entire student body has admin rights, wreaking havoc on the machines.
Windows LAPS ensures each local admin account is assigned a unique password. For instance, if you oversee multiple Windows devices all having a local admin account labeled 'Admin1', Windows LAPS allows you to set a unique password for each of these accounts. Additionally, these passwords come with a specified expiration period, after which a new randomized password is created. While my earlier blog series delved into setting up LAPS via Group Policy, in this piece, we'll explore its configuration using Intune.
PRE-REQUISITES FOR WINDOWS LAPS AZURE AD
The prerequisites for Windows LAPS are few. There is nothing to install because Intune policies are used to configure the LAPS CSP already on the devices. Here is what you need:
- An Intune license
- All computers need to be on Windows 10 or Windows 11 with the April 2023 Cumulative Update installed
- Requires one of the following roles in Azure AD: Global Administrator, Cloud Device Administrator, or Intune Administrator.
Because Azure is cloud based, you can access Windows LAPS from anywhere and Intune’s scalability allows you to easily manage a great many systems. It is important to remember one downside and that is the dependency on the internet. If your internet service is down and you don’t have an alternative means to reach Azure, you will have no way to retrieve the LAPS password. That being said, let’s get to configuring Windows LAPS for Azure AD.
Configuring LAPS for Azure AD
Before you create an Intune policy you must first access your Azure portal (portal.azure.com) and enable LAPS. Navigate to Devices > Device Settings and scroll down. Then turn on the “Enable Azure AD Local Administrator Password Solution” as shown below.
Once that is completed, you can move on to Intune. Using the Microsoft Intune admin center navigate to Endpoint Security > Account protection and click Create Policy. Choose “Windows 10 and later” as the Platform and “Local admin password solution Windows LAPS” as shown in the screenshot below.
After naming the policy it is time to configure settings as shown below. Of course, in this instance we will choose Azure AD only as the Backup Directory.
For the Administrator Account Name, I chose a custom account called fabadmin. If you are using Windows LAPS to manage any custom local administrator account, you must enter the name of that account here. You can leave this field blank if you are configuring LAPS for the built-in administrator, even if you have changed the name from its default name.
For Password Complexity there are four options:
- Large letters
- Large letters + small letters
- Large letters + small letters + numbers
- Large letters + small letters + numbers + special characters
Note that four options are the default if you don’t select an option.
Post Authentication Actions is used to specify the actions to take upon expiration of the configured grace period which is 12 days in this instance. There are three options here.
- Reset password: upon expiry of the grace period, the managed account password will be reset.
- Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. (Default behavior)
- Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset, and the managed device will be immediately rebooted.
- Not configured.
If no selection is made, the setting will default to the logoff option.
Post Authentication Reset Delay Sets the delay in hours before the previous actions above is executed. The default is 24 hours which is also the maximum.
With your settings configured, assign relevant scopes, and deploy the rule to the Azure Ad group you want to manage with this policy. In my next blog I will talk about how to retrieve the password from Azure and how to audit LAPS retrieval.
Group Policy and Intune both offer multiple ways to hide various components of the Windows operating system. One of these is the "Settings Page Visibility" setting that is specifically designed for managing the visibility of individual pages within the Windows Settings app introduced in Windows 10. This is distinct from the practice of hiding individual applets within the traditional Control Panel. By controlling visibility, you can streamline the user experience by ensuring they only see the settings they need, thus minimizing potential confusion or mistakes.
Note that the "Settings Page Visibility" policy only determines whether a page is visible or hidden to users. If you hide a settings page, users cannot see or access it, but this does not deactivate or override the actual functionalities or policies that might be set elsewhere.
I will show you how to configure the "Settings Page Visibility" policy in both Group Policy and Intune.
Create a GPO and go to Computer Configuration > Administrative Templates > Control Panel > Settings Page Visibility. You will then enable the policy and configure the settings as shown in the screenshot below.
You have two options for this setting.
- Use the hide: command to hide specific pages.
- Use the showonly: command to show only specific pages and hide all others.
You then follow either command by the Uniform Resource Identifier (URI) of the resource you want to apply the command to. For instance, if you want to hide the Window game bar you would type the following:
If you want to hide additional settings, simply separate each URI by a semicolon. For instance, if you want to hide the Windows gamebar as well as advanced network and internet settings, the command will look as follows:
Let’s use an example for the showonly: command.
You can add as many URIs as you need to the policy. Once completed, assign the GPO to your designated groups and you are ready to deploy. You can refer here for a list of URIs.
To configure the "Settings Page Visibility" equivalent in Intune go to your Microsoft Intune admin center portal and navigate to Devices > Configuration profiles.
- Create a new profile and choose “Windows 10 and later” as the Platform and choose “Settings catalog” as the Profile type.
- Name the profile and click Add settings.
- In the settings picker type “visibility”
- Choose between the 2 Page Visibility List options
In this example I will choose Page Visibility List because I want to apply the profile to users as shown below.
Use the same command structure as in Group Policy.
Then assign any scope tags, your designated groups and complete the creation process.
LAPS offers an effective method to limit local administrative privileges by generating a unique password for each Windows computer in your enterprise. However, for enhanced security and compliance, it's advisable to monitor who is accessing the passwords for specific machines. For Azure-joined devices go to your Azure portal and navigate to Devices > Audit Logs and then search for “Recover device local administrator password” as shown in the example below.
You can then click on the event to view more information as shown here.
This system effectively restricts access to clear-text passwords, ensuring only individuals with specific administrative roles, like Global Administrators, Cloud Device Administrators, and Intune Administrators, can access them.
After taking Jeremy’s Group Policy Class, my staff and I were able to reduce the number of help desk calls dramatically! Thank you Jeremy!
MCSE Systems Administrator, Royal Canin USA, Inc
If you want to learn everything about Group Policy, then you need to attend Jeremy’s training class, I came in as a novice and left an expert. Jeremy speaks to you, not above you.
Desktop Computing Specialist, Princeton University
Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.
Network Administrator, Mondial Assistance
I used the tools he demonstrated and those tools saved me a lot of time and money.
Senior Network Engineer, County of Orange, CA
After hearing Jeremy speak, I was immediately able to confidently use GPMC, and successfully deploy many GPO’s which have saved my sanity and added years to my life. Having a copy of Jeremy’s Group Policy, Profiles, and IntelliMirror book on hand has given me instant access to many of those “How does this work in the real world?” questions. Thanks Jeremy, You are awesome!
Lead Systems Administrator
After taking Jeremy’s class, I was able to create and troubleshoot Group Policy in our environment. Others tried to convince me that the “Microsoft Standard” is to have one huge policy, but troubleshooting that policy for them was a nightmare. After they saw how easy it was to create smaller, less complicated policies, troubleshooting became a piece of cake.
Server Administrator, University of Toledo
I was able to apply some of the Group Policy best practices that I had not already implemented. I am also looking forward to implementing the many new Vista/W2K8 GPOs.
Sr. Systems Administrator, Adventist Health Systems
I sincerely enjoyed the class in Boston and I learned a lot. Within two work days of coming back I had a major update to a core product piece of software that, because of your class, I knew to ask for an MSI file for the update and how to properly create a GPO to distribute to the appropriate users and make it do an install without interaction or granting them administrator rights. When they logged in this morning the update applied beautifully. This one process alone has made the whole class worth it to me. With the many other things I learned and will also put to use in the near future and I am extremely happy. Thanks again for coming to Boston.
Tech Support Specialist, Fidelity Bank
After listening to Jeremy, I felt much more confident in working with Group Policy and using it for many benefits in our Organization. The book was a great supplement, too.
Manager, IT Operations, Miller-Valentine Group
Jeremy has a way of explaining things that are down to earth. He takes a potentially dry subject and makes it more fun. These Group Policy courses are invaluable to help me in my job. As we transition to new machines and new operating systems, I can use the information and tools learned in class immediately. The pre-built virtual lab machines made it so I could focus on the labs right away. The hands-on labs are awesome! I am really glad I signed up for Jeremy’s online courses–even though I ended up taking them on my own after work. It was a really good investment.
ATK Launch Systems