Last Updated on February 21, 2024 by rudyooms
This blog is going to show you some magical things that are happening in the background when you have enabled and configured LAPS Automatic Account Management
I am going to divide this blog into multiple parts
Windows LAPS (Local Administrator Password Solution) is the perfect tool that will keep the local Windows Managed account password secure by regularly changing it.
When LAPS was first released to the world, we manually needed to create the corresponding managed account, if we didn’t want to use the built-in administrator account. This could be done in a lot of fancy ways but at that time not by LAPS itself.
Luckily with the latest Windows Canary build we now have the possibility to define some new policies to configure Automatic Account Management Mode. In my opinion, this is what we need! I have been waiting for this a long time!!! It’s magic in a box!!!
Let’s dive into the magic box a bit because with Automatic Account Management we now have the option to create the managed account with LAPS. We can even randomize the account name!!!!
By default, this AAM feature is not enabled. If you want to enable it, we need to configure a GPO or a CSP to do so. Automatic Account management isn’t available yet in the settings catalog but I am expecting that this will change, once this feature is GA.
When we take a closer look at the Automatic mode, though it’s off by default, it lets Windows LAPS handle all aspects of the managed account.
-It will automatically create the managed account
-It will set the required password
-It will randomize the account if configured
-It will enable or disable the account
It’s obvious that with this new feature, we could also still use the Post Authentication Actions! If you are not familiar with PAA, please read this blog.
2. Account Management First look
Let’s start by taking a look at what the LAPS GPO looks like as this one would show a bit more information about what we could configure until the settings catalog arrives.
As shown above, when we want to configure Automatic Account Management, we need to configure the same settings I was talking about in the introduction.
Instead of managing the built-in admin account as shown below, we will need to make sure we are selecting the option to manage a custom admin account.
Once we select the option to manage a custom admin account, we also have the option to define a prefix. Besides the prefix, we can also choose to randomize the account name. To top it off, we can also choose if we want to enable or disable the managed account.
This “EnableorDisableAccountIfNecessary” checkbox is more important than you will think it is! Why? Let me explain a bit. If your customer wants to maintain the managed account in a disabled state, we can now enable the managed account without making any other changes just by toggling the select box… nothing more! Off by default, turned on when needed. That’s cool, right?
It’s obvious that when you are cloud-native, configuring a GPO isn’t going to cut it. To configure the AutomaticAcccountManagement, we need to manually configure some CSPs.
As shown above, this LAPS canary build also gives us the possibility to define the Passphrase option (PasswordComplexity). A passphrase is a much better option in my opinion than the old school passwords. It’s easier to read and type (as long as you don’t create passwords with a password length of 20)
Once we have deployed these CSPs to our device that is running a nice canary build, we will notice that we can spot the LAPS’ new features in Intune. If we take a closer look at the local admin password of the device, we will spot the new randomized account with the prefix and with the Passphrase password
Cool, right? Job done, right? NOPE!! I noticed something weird while looking at the security logs… yep the security logs NOT the LAPS event log!
Well, I am a cool guy, doing cool stuff right?? I can create a CSP in Intune to deploy these settings or I could configure the GPO to configure this new LAPS feature, right?
Well… I decided to use the new and shiny SYNCML tool version 1.2.0 to configure the new corresponding LAPS CSP. Why? So I could have an exact time frame in which the LAPS policy was getting picked up by the LAPS background policy processing
Yeah…. the SYNCML tool now has a SYNCML request in it!!!!!
At the same second, I enabled the Automatic Account Management feature with the SYNCML tool, this message appeared in the security event log!
As shown above, somehow a WLapsPending121249 account was created? Huh?? I am pretty sure that I didn’t define “Pending” in any policy.
I guess if I hadn’t spotted this weird message above, I guess I wouldn’t have taken a deeper dive into the new Account Management Feature. Luckily for everyone, I did notice it.
When opening the LAPS.DLL and searching for the WlapsPending keyword, I noticed it was indeed mentioned in the DLL
Okay… I am interested! I decided to take a closer look at how the LAPS Azure Core Processing function in the DLL got to this point.
When we take a look at the video, it becomes obvious that the WlapsPending account name will be the first one that will be used when the managed account gets created.
4. The Story and the Flow
From there on, I reinstalled the VM and started to take a closer look but this time with Procmon enabled and by creating a timeline of what is happening.
So far, I can tell there seems to be more happening in the background than the LAPS event log is telling us. By the looks of it and going back and forth in the LAPS.dll code, this is what I believe is happening.
The LAPS Auto Account Management will create the new custom account with the corresponding settings in 3 steps.
- The first step in the automatic account creation process is to create a new local account. It will create the account with a randomized value AND with a “pending” label/account name. Once the local account is created, it will be in the default disabled state. After the Account is created it will change the UACvalue and will add the account to the local administrator’s group
- From there on it will perform an Azure ad password update and will store the password in Entra (depending on the location policy) If you want to find out more about this process itself, I already have written a blog about that one.
- Once the account creation is marked as successful it will rename the account if necessary. So, we would notice that it will change the old account name WlapsPending to the prefix we configured. Once the account is renamed, it will reset the local password of the account (Azure Ad Password update always comes first). After the local password has been updated, it would enable the account if necessary and with it, the LAPS processing is succeeded.
The corresponding paint flow
5. A small Teaser
While looking at the Automatic Account Management feature I noticed a feature called Defunct Account. at the end of the code
Guess a wild guess, about what my new LAPS blog will be about!! Defunct!!
LAPS got some big improvements with the latest Windows canary update.. Hopefully, these new LAPS features will be backported as soon as possible!! I want to have passphrase support! I want to have the managed account created by LAPS!!! I want to enable or disable the account on the fly!!