Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password will not Rotate and Name does not Update in CloudLaps after Re-image and Rename #32

Open
rodawing opened this issue May 3, 2022 · 11 comments
Open

Password will not Rotate and Name does not Update in CloudLaps after Re-image and Rename #32

rodawing opened this issue May 3, 2022 · 11 comments

Comments

@rodawing
Copy link

rodawing commented May 3, 2022

After re-imaging and renaming a computer the computer name will not update in Cloudlaps and password will not rotate. CloudLaps seems to hold on to the old computer name. The computer was removed from AAD and Intune before being re-imaged and renamed. Does anyone know where CloudLaps stores the computer names so I can remove the old one?
@dbarajas1
Copy link

Stores in the key vault. You'll have to give yourself permissions to be able to view those and then purge old ones.

@dwiller11
Copy link

I think I may be running into this too. I do a lot of re-imaging using the same device/serial as part of testing deployment scenarios. But I have seen it work sometimes so that makes me wonder if there's something else causing the issue. I saw another post about the rotation frequency set in the function app - could it be that if I'm re-imaging multiple times daily?

Event ID 14 - CloudLAPS: Forbidden, password was not allowed to be updated.

Otherwise, working great! what a cool tool.

@dwiller11
Copy link

OK, confirmed, in my case, it was not able to rotate the password for that re-imaged device because it had not been enough days since the last time it rotated for that same device. CloudLAPS uses the serial number to store the password in the keyvault so from CloudLAPS perspective, it was the same exact device even though it had been re-imaged. I set the "UpdateFrequencyDays" setting in the function app to "0" and it was able to rotate.
@rodawing

@PatsGithu8
Copy link

Hi
We also just discovered this and want to try and work out how to clear the timestamp or clear the serial number from the keyvault
What we had with the old LAPS is when imaging a device and the LAPS install script was executed. We added a powershell command to clear the Active Directory timestamp for that computer name
This allowed LAPS to update the password instantly
So a newly imaged device would have its LAPS account created and password updated

Does anyone know how to do similar with the keyvault in Azure AD ?

@dwiller11
Copy link

Did you try changing the function app UpdateFrequencyDays to 0? I haven't had any issues after changing it to 0. The password changes every time the baseline runs but that's OK, I'd be looking up the password and copying and pasting it anyway so it's no extra work. Even devices that I re-image over the top get a LAPS password assigned almost immediately since baselines run soon after workplace join/autopilot. Not sure what else you might be running into. If that doesn't work, can you describe the exact problem you're running into?

@PatsGithu8
Copy link

Did you try changing the function app Confirm-SecureBootUEFI to 0? I haven't had any issues after changing it to 0. The password changes every time the baseline runs but that's OK, I'd be looking up the password and copying and pasting it anyway so it's no extra work. Even devices that I re-image over the top get a LAPS password assigned almost immediately since baselines run soon after workplace join/autopilot. Not sure what else you might be running into. If that doesn't work, can you describe the exact problem you're running into?

Hi Thanks for the reply
No I havent yet
This might work ok with our on prem machines (domain joined) as we use a configuration baseline that is set to run once a day ( so the same frequency as I set in the function app )

But not sure how this will work with our Azure-Joined machines. Would it stop updating completely if its set to 0 on those azure-joined devices?

Worth a test though

Wanted a more permanent and automated solution to the imaging issue as we re-image many machines per day

@dwiller11
Copy link

It never even occurred to me that this would also work for on-prem, AD-joined devices. I think most people are using this with Intune, do you have Intune + AAD or just AAD? Or SCCM? Or anything that can run some kind of script regularly on an AAD-joined device?

If you set that setting to 0, it just updates the password in the KV every time the script runs. That solved my problem because I also re-image constantly throughout the day when I'm testing things and I was running into an error than prevented the password from being updated in the KV for a serial number that was updated less than X days ago.

@PatsGithu8
Copy link

It never even occurred to me that this would also work for on-prem, AD-joined devices. I think most people are using this with Intune, do you have Intune + AAD or just AAD? Or SCCM? Or anything that can run some kind of script regularly on an AAD-joined device?

If you set that setting to 0, it just updates the password in the KV every time the script runs. That solved my problem because I also re-image constantly throughout the day when I'm testing things and I was running into an error than prevented the password from being updated in the KV for a serial number that was updated less than X days ago.

CloudLAPS was that fantastic to us we wanted to make it work with our on prem environment and evetually let it replace old LAPS
We have so many users working at home now since COVID hit and hardly any of the old LAPS passwords are updating
so we combined both detection and remediation scripts and threw it in SCCM configuration item / baseline to run once a day
It works ok. But just a few of issues I would like to sort out. Like the newly imaged machine issue I am writing here about

We have two environments ( currently in testing and development is our AAD ) and we use SCCM for our older environment
We use the configuration basline via SCCM to execute the CloudLAPS scripts once a day to our old environment

Changing the update frequency to 0 will work ok with our old domain joined environment as we use SCCM to run the script on a daily basis

But unsure how it will trigger on our AAD environment

@dwiller11
Copy link

Are you moving to AAD and trying to leave AD/SCCM behind with no connectivity between the two? SCCM can work with AAD and for internet clients, could you use an SCCM cloud management gateway? (https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/overview) Or better yet, could you just use Intune? I have a similar problem, I have Intune but Intune doesn't manage servers so I'm not sure how I could do LAPS (or any app deploy or running scripts/config) on straight AAD-joined server OS. :/

@RaghuKeenLearner
Copy link

We have two environments ( currently in testing and development is our AAD ) and we use SCCM for our older environment
We use the configuration basline via SCCM to execute the CloudLAPS scripts once a day to our old environment

so where does the password go? Does it go to same portal? TBH with you I never though about this from on-prem perspective before.

@PatsGithu8
Copy link

PatsGithu8 commented Jul 27, 2022
edited
Loading

We have two environments ( currently in testing and development is our AAD ) and we use SCCM for our older environment
We use the configuration basline via SCCM to execute the CloudLAPS scripts once a day to our old environment

so where does the password go? Does it go to same portal? TBH with you I never though about this from on-prem perspective before.

It goes to the same loction to the Azure Function app keyvault. It behaves the same way except we get SCCM to deploy execute the script

Are you moving to AAD and trying to leave AD/SCCM behind with no connectivity between the two? SCCM can work with AAD and for internet clients, could you use an SCCM cloud management gateway? (https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/overview) Or better yet, could you just use Intune? I have a similar problem, I have Intune but Intune doesn't manage servers so I'm not sure how I could do LAPS (or any app deploy or running scripts/config) on straight AAD-joined server OS. :/

I just set the update frequency to 0. But I think this will cause the Azure AD devices to never rotate the password ever

On https://msendpointmgr.com/cloudlaps/#12-function-app-documentation
it states the following:

UpdateFrequencyDays
Password rotation (described more in detail in the solution overview documentation above) will only be allowed if the most recent password rotation occurred in the past, more than the specified amount of days configured in this application setting. The default value is 3, which for instance only allows the password rotation process from a device to happen every 3 days. Change this value to a desired amount of days that meets the organization requirements. A value of 0 is not supported.**_

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dbarajas1 @dwiller11 @rodawing @RaghuKeenLearner @PatsGithu8