Manage Windows LAPS using powershell

by Leave a comment

Windows LAPS (Local Administrator Password Solution) is an easy to use solution provided by Microsoft to manage local administrator account on Windows devices. If you have your organization devices enrolled into Microsoft Intune and Azure AD then you can use my step by step guide on Implementation of Windows LAPS for Azure AD devices using Intune.

You can backup managed local administrator account password to either Azure Active Directory or on-prem Active directory. The password would be stored with the device object.

For any troubleshooting scenario, you or any member of helpdesk may require the password of local administrator account. There are different ways to view the local admin account password.

You could use Microsoft Intune admin center or Microsoft Entra portal to view the password or you can use Powershell cmdlets to view the password of local admin user account for any device.

In this blog post, I will only show you how to retrieve managed local admin user account password using Powershell. If you want to know about different options to retrieve local admin password using GUI method then you can click on the following link and follow the given steps: how to retreive laps managed local admin password.

Create Azure AD app registration

First step is to create an application in Azure AD which we will use to access / read managed local admin account password stored in Azure AD. You will need to provide permissions to this Azure AD app so that this app can read the device object details.

You will need to provide below permissions to this app:

  • Device.Read.All
  • Either DeviceLocalCredential.Read.All or DeviceLocalCredential.ReadBasic.All.

If you want to retreive the password then you will need DeviceLocalCredential.Read.All permission. Providing just DeviceLocalCredential.ReadBasic.All permission to the app will not let you see the password.

Using DeviceLocalCredential.ReadBasic.All permission, you can only check like when the password was backed up to Azure AD and expiration time of the password etc.

  • Login on Microsoft Azure portal.
  • Search for Azure Active Directory and find App registrations under Manage.
  • Click on + New registration.
  • Provide the Name of App as WindowsLAPS_app (you can provide any other app name as you like).
  • Click on Register.
Create Azure AD app registration for LAPS

Assign permissions to Azure AD App

Now once the app is registered, we need to provide permissions to this app to read device details along with password information. For providing necessary permissions, please follow below steps:

  • Open the Azure AD app WindowsLAPS_app.
  • Go to API Permissions under Manage.
  • Then click on + Add a permission.
Assign permissions to Azure AD App
  • Under Microsoft APIs > Click on Microsoft Graph.
Select Microsoft Graph in Request API Permissions
  • Under Application permissions. Search for Device.Read.All and select this permission.
  • Then perform another search for either DeviceLocalCredential.Read.All or DeviceLocalCredential.ReadBasic.All and select that one as well. I have selected DeviceLocalCredential.Read.All as i am interested in viewing password of the local admin user account along with other basic device information.
Go to Application Permissions and Select Device.Read.All and DeviceLocalCredential.Read.All
  • Make sure you Grant admin consent for the assigned API permissions to this app. The status should show green with check mark once admin consent is granted.
Grant admin consent for Device.Read.All and DeviceLocalCredential.Read.All
  • Open the App WindowsLAPS_app and then click on Authentication under Manage.
  • Click on + Add a platform and then Add Mobile and desktop applications.
Add redirect URI for Windows LAPS azure ad Application
  • Add Custom redirect URIs as http://localhost and select the checkbox for “https://login.microsoftonline.com/common/oauth2/nativeclient” and click on Configure.
Redirect URI for Windows LAPS
  • Under the Advanced settings. Enable the setting Allow public client flows and then click on Save button.
Allow public client flows

Retreive local admin password of the device from Azure AD

We would need to connect to Microsoft Graph first using the application registration we created in previous step. Let’s check the steps.

Install Microsoft Graph module

First steps is to Install Microsoft Graph module, if this module already exists on your device then you can skip this step:

Install Microsoft Graph Powershell module

Install-Module Microsoft.Graph -Scope AllUsers

Connect to Microsoft Graph

We would be using Connect-MgGraph powershell cmdlet. However before we proceed to use this command. You would need to have tenant ID and client ID information ready. Replace your organization’s tenant ID and client ID information in the Connect-MgGraph command shown in the following section.

  • To Find the Client ID information. you can click on the app and go to Overview tab and then copy Application (client) ID.
  • To Find the Tenant ID information, login on Azure portal and search for Azure Active directory. On the Overview tab you can find Tenant ID information. Copy it and paste is in a notepad.
Find Client ID from Azure App registration

Connect-MgGraph

Connect-MgGraph -Environment Global -TenantId 97659d97-8dab-4122-80bd-caadf41b64d7 -ClientId  baa1ea7d-9388-43d5-b28f-024ca2bde5fc
  • You will get a pop-up to provide your sign-in information to connect and you may also get below screen to accept the permissions requested. Select the check box “Consent on behalf of your organization” and then click on Accept to proceed.
Connect-MgGraph

Connected to Microsoft Graph successfully.

Connect-MgGraph

Use Get-LapsAADPassword to retreive local admin user password

You can use Get-LapsAADPassword cmdlet to retreive local admin user account password. You would need to provide name of the device in the DeviceIds parameter which you can find from Microsoft Intune admin center.

Get-LapsAADPassword 

Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW
Get-LapsAADPassword

Using Get-LapsAADPassword cmdlet without any parameters apart from DeviceIds will only provide basic information about the device. If you want to know the password of the managed local admin account then you would need to use two more parameters -IncludePasswords and -AsPlainText.

Get-LapsAADPassword -DeviceIds JatinM-WIn10-NW -IncludePasswords -AsPlainText
Get-LapsAADPassword to retreive password

How to reset LAPS managed local admin password

You can reset LAPS managed local admin password using powershell using Reset-LapsPassword. You can login on the device and then connect to microsoft graph and use this cmdlet to reset managed local admin password.

Conclusion

In this blog post, we have seen how to manage Windows LAPS local admin account using Powershell. You can retreive managed local admin user account password remotely by connecting to Microsoft Graph instead of logging on to Microsoft intune admin center or Microsoft Entra portal.

Leave a Comment