Devolutions ForumDevolutions Forum

Native Support for InTune LAPS

Backlog

Native Support for InTune LAPS

0 vote

avatar
jm2

Hello,

Would it be possible to intergrate DVLS PAM with Intune LAPS, so that local Adminstrator credentails can be retrieved natively using either RDM or the DVLS web page. There are some forum posts about using a 'custom credential' type along with a PowerShell script in RDM to pull LAPS data from AD, however I couldnt find an example for the new InTune hosted LAPS (https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview).

Also some form of native integration into DVLS would be better as it aleviates the need for maintainig custom scripts and also could potentially be used by the 'launcher' client. Ideally a user would access the DVLS PAM web page and search for the password of a builtin Administrator account, and DVLS would connect to InTune LAPS on behalf of (or as) the user.

Please let me know if further clarification is required

Thanks

All Comments (2)

avatar
Maurice Côté

Hi

Our PAM architecture is to be the single source of truth for the secrets, meaning we manage them IN our system, and push a copy to the provider. We would therefore need to add a flow to change that philosophy. It makes sense to me and we would be a PAM facade for any storage system that has an acceptable API/REST interface.

It's in line with what I would have liked to go towards, but please understand that this is not a minor change. Also, we are in the middle of planning our 2023.3 release and it would most likely not fit in the plan.

I will dedicate some time to research this and see if we can have a plan for the short term.

A quick consultation of the documentation mentions that the secrets can be copied to AD/AAD, have you enabled this in your infrastructure?

Thanks

Maurice

avatar
nlare

Posting for visibility here for others with this question.

While this doesn't answer your concern of having to maintain/ update a script, you can at least not have to maintain/update them very often with good module management. If it helps you can use something like this.

Import-Module Microsoft.Graph.Authentication -ErrorAction SilentlyContinue
Import-Module Microsoft.Graph.Identity.DirectoryManagement -ErrorAction SilentlyContinue
Import-Module LAPS -ErrorAction SilentlyContinue

$isImport = Get-Module -ListAvailable Microsoft.Graph.Authentication
if (-not $isImport) {
    $Result.Cancel = $true
    Write-Output "Microsoft Graph modules are not installed on this system!"
    return
}

$isLaps = Get-Module -ListAvailable LAPS
if (-not $isLaps) {
    $Result.Cancel = $true
    Write-Output "LAPS module is not installed on this system!"
    return
}

Connect-MgGraph -NoWelcome

$hostname = '$NAME$'
$computer = Get-MgDevice -Filter "displayName eq '$hostname'"

if ($computer) {
    $password = Get-LapsAADPassword -DeviceIds $computer.DeviceId -IncludePasswords
    
    if ($password.Password) {
        $Result.Username = $password.Account
        $Result.Password = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password.Password))
    }
    else {
        $Result.Cancel = $true
        Write-Output "LAPS did not return any password value for $hostname"
    }
}
else {
    $Result.Cancel = $true
    Write-Output "Device not found in Entra ID for hostname: $hostname"
}


This also assumes that your RDM Entry name is the same as the name for your Machine you are needing to LAPS.
If not, change it to whatever variable you are using.

Hope this helps.