Microsoft LAPS Setup

You should have access to a domain joined admin workstation and a domain controller.

Download the LAPS files from Microsoft onto the admin workstation.  You can choose the architecture and documentation that you want to download.

Install all of the LAPS components onto the admin workstation.

NOTE: To see all of the module commandlets:

Get-Command -Module AdmPwd.ps

Extend the AD Schema. See the MS documentation if you have an RODC

On the admin workstation, open a PowerShell terminal as a user that has schema admin rights:

Import-Module AdmPwd.ps
Update-AdmPwdADSchema

To verify LAPS was added to the AD schema, in a domain controller PowerShell terminal:

Get-ADObject 'CN=ms-Mcs-AdmPwd,CN=schema,CN=Configuration,
DC=contoso,DC=com'

View Extended Right Holders in the target OU

Passwords are kept in plain text on the DC so permissions assigned to LAPS are critical. Only those who should have access to view and set the passwords should be allowed to view and change the passwords.

Get an early look at Extended Rights Holders on the OU’s where LAPS will be applied. On my clean lab machines, I only see “NT AUTHORITY\SYSTEM, CONTOSO\Domain Admins”. If any others show up, you should consider whether to remove them or leave them in place if they will be actually used in the LAPS configuration.  See the MS document for further:

Find-AdmPwdExtendedRights -Identity "<OU NAME>" | Format-Table
		-or-
Find-AdmPwdExtendedRights -Identity "<OU NAME>" | Format-List

Set the Extended Right Holders in the target OU

The following commands require the PowerShell module to be loaded:

Import-Module AdmPwd.ps

* Note also that the commands need to be run on each OU where LAPS is to be used.

Add SELF permissions to all computers in an OU to allow them to change their own local admin password:

Set-AdmPwdComputerSelfPermission -Identity "<OU NAME>"

For the next to commands, you will need to create the appropriate domain security groups as needed.

Add users/groups that will be allowed to read the LAPS passwords (this is a single command):

Set-AdmPwdReadPasswordPermission -Identity:"<OU NAME>" -AllowedPrincipals:"<domain\user or group>", 
"<domain\another user or group name>"

Add users/groups that will be allowed to reset the local admin passwords on the LAPS computers (also run the above command in addition to this one):

Set-AdmPwdResetPasswordPermission -Identity:"<OU NAME>" -AllowedPrincipals:"<domain\user or group>", "<domain\another user or group name>"

If you want to check that permissions were set, this command should show it:

Find-AdmPwdExtendedRights -Identity "<OU NAME>" | Format-List

Or check the object security permissions:

R-click the OU -> Properties -> Security tab -> Advanced -> Select the group name -> Edit

Under Properties (scroll down), these should be checked:

Read ms-Mcs-AdmPwdExpirationTime
Write ms-Mcs-AdmPwdExpirationTime
   *Note - write depends on which Set-AdmPwd command you ran above.

Setup GPO for LAPS

The LAPS GPO files are installed on the admin workstation and need to be copied to the Active Directory server.  They can be found under C:\Windows\PolicyDefinitions and C:\Windows\PolicyDefinitions\en-US (if using the US version of English).

Once the files have been copied to the AD server, create the following directories on the AD server if they do not already exist and copy the files.

The AdmPwd.admx file needs to be copied to:

C:\Windows\SYSVOL\contoso.com\Policies\PolicyDefinitions\

The AdmPwd.adml file needs to be copied to:

C:\Windows\SYSVOL\contoso.com\Policies\PolicyDefinitions\en-US\
en-US, (or what ever the appropriate language on the server is)

Open Group Policy Management and create a LAPS GPO object.

Edit the LAPS GPO for the appropriate settings for your domain:

Computer Configuration -> Administrative Templates -> LAPS

Link the GPO to the appropriate OU’s.

Install the client piece

The LAPS client can be installed using SCCM, Group Policy, scripting, or locally using a .msi or .dll file.

On my admin workstation, I can see that LAPS is already installed by viewing “Programs and Features”, or by looking for “C:\Program Files\LAPS\CSE\AdmPwd.dll”. This .dll file can be used to install the client on other computers if desired.

Adding additional OU’s after initial setup

If LAPS is already setup and you are adding new OU’s or computers:

-Set the permissions on the OU using PowerShell commands above.
-Set up the admin user locally on each managed computer.
-Set up a new GPO if needed.
-Install the client.

IIS SSL/TLS Certificate Setup – Internal MS CA

Simplistic, works for me when adding a certificate for WSUS.

Create Certificate Request:

From the IIS server needing the new certificate, open IIS Manager:

- In the left window pane, select the server.
- In the center window pane, select "Server Certificates".
- In the right window pane, select "Create Domain Certificate Request".
- Enter the information in the pop up window.
- Cryptographic Service Provider:
	"Microsoft RSA SChannel Cryptographic Provider"
- Bit Length:
	2048

This should submit a request to the domain CA and automatically return a certificate. This will of course depend on how your CA is setup for approving similar requests.

Bind to the new certificate to the web site:

- In the left window pane, select the web site 
	Possibly "Default Web Site", or maybe not.
- In the right window pane, select "Bindings…".
- In the "Site Bindings:" pop up, choose add or edit.  I'm doing edit here.
- Select "HTTPS" and click the "Edit" button.
- Select the new certificate.
- In the right window pane, restart the service.

The new certificate expiration date can be viewed in “Server Certificates” (see step one above) .

BitLocker – AD setup for BitLocker Recovery Key Management

Like most other posts in this blog, this is pieced together to make sense to me.

Especially in older domains, verify that the AD schema has the appropriate attributes using PowerShell window as administrator:

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {name -like 'ms-FVE-*'}

On a domain controller, install the BitLocker Feature to display the BitLocker recovery information:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

To see the BitLocker tab containing the BitLocker recovery key from an admin workstation, the RSAT “BitLocker Drive Encryption Administration Utilities” needs to be installed on the workstation.

GPO Settings

On a domain controller: Server Manger>Tools>Group Policy Management

Edit the following:

Computer Configuration>Policies>Administrative Templates>Windows Components>BitLocker Drive Encryption

"Store BitLocker recovery information in Active Directory":
Select "Enabled"
Check "Require BitLocker backup to AD DS"
Select "Recovery passwords and key packages"


NOTE – At the bottom of the GPO “Help” it states that the TPM information also needs to be backed up. This, however, no longer appears to be the case after Windows 10 version 1607.

"Choose how users can recover BitLocker-protected drives":
        Select "Enabled"

Select “Operating System Drives”

"Choose how BitLocker-protected operating system drives can be recovered":
	Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for operating system drives"
        Select "Store Recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives"
			

Select “Fixed Data Drives”

"Choose how BitLocker-protected fixed data drives can be recovered":
        Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for fixed data drives"
	Select "Backup recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives"