Last Updated on September 26, 2023 by rudyooms
This blog will be about an old task schedule!!! I am going to dive into the PushLaunch scheduled task that is responsible for delivering push notifications from Intune (or MMP-C?) to our device. I am going to show you what you need to be aware of when you are
abusing Windows LAPS and manually resetting the Password.
I will divide this blog into multiple parts.
The PushLaunch task and the corresponding dmwappushservice. You could start wondering where you have heard about that service before. Almost a year ago I wrote a blog about why the corresponding dmwappushservice is very important.
In that blog, I mentioned the fact that when you are sending out a push command to the device, such as a “Rotate local admin Password” action,
the PushLaunch scheduled task will be triggered. When this PushLaunch is triggered, it will instantly kick off the schedule to run the omadmclient.exe and will start syncing the device with Intune. At the moment the device sync it would also execute the push command that was sent over to the device (rotating the laps password)
But what if…. What if the PushLaunch ends up with the error 0x82AC0204? When the pushlaunch task gives you this error, the remote command to reset the LAPS password will no longer be executed immediately! I am going to show you why and what exactly changed
2. Has the PushLaunch task changed?
When we take a closer look at what will happen and what happened in the past, we will notice that the pushlaunch task will still be executed but from there on it kicks off a different schedule than I was expecting.
Instead of kicking off the
Microsoft Phone Provider omadmclient immediately, it will now create an additional task schedule. This schedule will be created temporarily and this nice new scheduled task is named: “Queued schedule created for queued alerts”
You would expect this task to appear in the main enterprisemgt\enrollmentguid folder but somehow a new folder named: EnterpriseMgmtNonCritical will be created. (the same folder which the Config Refresh task schedule will appear in)
I guess it’s all in the name… schedule for queued alerts. This task will scheduled to be executed 5 minutes after the pushlaunch task is completed (with a nice error. So don’t mind the error.. which is in fact not an error at all)
But what does this task do? Almost the same as the PushLaunch task will do but with 1 small difference.
Instead of executing the deviceenroller with the regular /z parameter, it will now pass the /q parameter. When this queued schedule is executed it will kickoff the schedule to run the omadmclient.
If this schedule exits.. even when it’s a bad exit, the OMADMPRC.exe will trash that scheduled temporarily queued task.
So the bottom line? Please beware of the fact that a push notification will not be executed on the fly but could take another 5 minutes. Patience we must have, and one thing is for sure… people working in IT, don’t have patience.
3. Why I was looking
Okay… so I stumbled upon a 5-minute delay… no big deal, right? Let me show you why this behavior caught my attention.
A couple of my VMs are running the Windows Insider build. Almost every week, when a new version arrives, I will copy the most important DLL and exe files to my own device and do a wild text search at it.
Guess what it showed me? Besides the Windows MDM Push notification, we suddenly have a new Windows MMPC Push function
When switching back to the insider preview build, I noticed that we now have a pushlaunch task inside the MMP-C enrollment
Does that mean we are going to have a new button in Intune? As shown below, are we going to get a button to initialize a Microsoft Management Platform -Cloud sync? I guess so!
When I noticed this, I started playing around with it and comparing it to the “old” MDM stack one, and at that point, I noticed the additional queued schedule.
4. The flow
When we take a look at the flow, we will notice that a particular function inside the omadmapi.dll is responsible for queueing those alerts (shouldmsgbequeued), and from there on I created the flow
Rotating the LAPS password from Intune relies on the pushlaunch task. We need to be aware of the fact that this task could be queued for 5 minutes.
It also seems Microsoft is still very font of this task, as the functionality around it Is also going to be used to initialize a remote sync to make sure the device checks in into the MMP-C service.