configure-laps-intune.ps1

<#
.SYNOPSIS
Creates a new user on the device and assigns to administrators. Configures LAPS to use the new user account
.DESCRIPTION
Creates a new user on the device and assigns to administrators. Configures LAPS to use the new user account.
Password is randomly generated
.INPUTS
Account name $name
.OUTPUTS
None
.NOTES
  Version: 1.0.3
  Author: Andrew Taylor
  WWW: andrewstaylor.com
  Creation Date: 25/04/2023
  .EXAMPLE
N/A
#>


<#PSScriptInfo
.VERSION 1.0.3
.GUID 22204255-7dfa-4393-aba7-5c9a1fc765d9
.AUTHOR AndrewTaylor
.COMPANYNAME
.COPYRIGHT GPL
.TAGS intune endpoint MEM environment
.LICENSEURI https://github.com/andrew-s-taylor/public/blob/main/LICENSE
.PROJECTURI https://github.com/andrew-s-taylor/public
.ICONURI
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
#>


##################################################################################################################################
################# PARAMS #################
##################################################################################################################################

[cmdletbinding()]
    
param
(
    [string]$name

    )






##################################################################################################################################
################# INITIALIZATION #################
##################################################################################################################################
$ErrorActionPreference = "Continue"
##Start Logging to %TEMP%\intune.log
$date = get-date -format yyyyMMddTHHmmssffff
Start-Transcript -Path $env:TEMP\intune-$date.log

#Install MS Graph if not available


Write-Host "Installing Microsoft Graph modules if required (current user scope)"
#Install MS Graph if not available
if (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication) {
    Write-Host "Microsoft Graph Authentication Already Installed"
} 
else {
        Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Repository PSGallery -Force -RequiredVersion 1.19.0 
        Write-Host "Microsoft Graph Authentication Installed"
}

write-host "Connecting to Graph"
Select-MgProfile -Name Beta
Connect-MgGraph -Scopes Domain.Read.All, Directory.Read.All, DeviceManagementConfiguration.ReadWrite.All, openid, profile, email, offline_access, Policy.ReadWrite.DeviceConfiguration
write-host "Connected to Graph"


##Check if parameter has been passed
write-host "Checking for custom name"
$namecheck = $PSBoundParameters.ContainsKey('name')

if ($namecheck -eq $true) {
write-host "Custom name sent, setting account name"
##Custom name sent, set it
$accountname = $name
}
else {
write-host "No custom name sent, using lapsadmin"
##No custom name sent, generate one
$accountname = "lapsadmin"
}


function Get-RandomPassword {
    param (
        [Parameter(Mandatory)]
        [int] $length,
        [int] $amountOfNonAlphanumeric = 1
    )
    Add-Type -AssemblyName 'System.Web'
    return [System.Web.Security.Membership]::GeneratePassword($length, $amountOfNonAlphanumeric)
}


$password = Get-RandomPassword -Length 20


##Enable LAPS in AAD
write-host "Checking Azure Active Directory Settings"
$checkuri = "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy"
$currentpolicy = Invoke-MgGraphRequest -Method GET -Uri $checkuri -OutputType PSObject -ContentType "application/json"
$lapssetting = ($currentpolicy.localAdminPassword).isEnabled
if ($lapssetting -eq $false) {
write-host "LAPS is not enabled, enabling"
$newsetting = $true
$currentpolicy.localAdminPassword.isEnabled = $newsetting
$policytojson = $currentpolicy | ConvertTo-Json
Invoke-MgGraphRequest -Method PUT -Uri $checkuri -Body $policytojson -ContentType "application/json"
write-host "LAPS enabled"
}
else {
write-host "LAPS is already enabled"
}



write-host "Creating new user $accountname with password $password"
##Create Custom Policy for lapsadmin user
$customurl = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations"

$customjson = @"
{
    "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
    "description": "Creates a new user to be used with LAPS",
    "displayName": "Windows-LAPS-User",
    "id": "00000000-0000-0000-0000-000000000000",
    "omaSettings": [
        {
            "@odata.type": "#microsoft.graph.omaSettingString",
            "description": "Create lapsadmin and set password",
            "displayName": "Create-User",
            "omaUri": "./Device/Vendor/MSFT/Accounts/Users/$accountname/Password",
            "value": "$password"
        },
        {
            "@odata.type": "#microsoft.graph.omaSettingInteger",
            "description": "Add to admins",
            "displayName": "Add-to-group",
            "omaUri": "./Device/Vendor/MSFT/Accounts/Users/$accountname/LocalUserGroup",
            "value": 2
        }
    ],
    "roleScopeTagIds": [
        "0"
    ]
}
"@


$policy = Invoke-MgGraphRequest -Method POST -Uri $customurl -Body $customjson -OutputType PSObject -ContentType "application/json"

write-host "Assigning policy to all devices"

$policyid = $policy.id

$assignurl = "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$policyid/assign"

$assignjson = @"
{
    "assignments": [
        {
            "target": {
                "@odata.type": "#microsoft.graph.allDevicesAssignmentTarget"
            }
        }
    ]
}
"@


Invoke-MgGraphRequest -Method POST -Uri $assignurl -Body $assignjson -ContentType "application/json" -OutputType PSObject

write-host "Policy created and assigned to all devices"


##Create LAPS policy to use new user account
write-host "Creating LAPS policy with new user account $accountname"
$lapsurl = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies"
$lapsjson = @"
{
    "description": "Uses lapsadmin created via custom OMA-URI policy",
    "name": "LAPS Config",
    "platforms": "windows10",
    "roleScopeTagIds": [
        "0"
    ],
    "settings": [
        {
            "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
            "settingInstance": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "choiceSettingValue": {
                    "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
                    "children": [
                        {
                            "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
                            "settingDefinitionId": "device_vendor_msft_laps_policies_passwordagedays_aad",
                            "simpleSettingValue": {
                                "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
                                "value": 30
                            }
                        }
                    ],
                    "settingValueTemplateReference": {
                        "settingValueTemplateId": "4d90f03d-e14c-43c4-86da-681da96a2f92"
                    },
                    "value": "device_vendor_msft_laps_policies_backupdirectory_1"
                },
                "settingDefinitionId": "device_vendor_msft_laps_policies_backupdirectory",
                "settingInstanceTemplateReference": {
                    "settingInstanceTemplateId": "a3270f64-e493-499d-8900-90290f61ed8a"
                }
            }
        },
        {
            "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
            "settingInstance": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
                "settingDefinitionId": "device_vendor_msft_laps_policies_administratoraccountname",
                "settingInstanceTemplateReference": {
                    "settingInstanceTemplateId": "d3d7d492-0019-4f56-96f8-1967f7deabeb"
                },
                "simpleSettingValue": {
                    "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
                    "settingValueTemplateReference": {
                        "settingValueTemplateId": "992c7fce-f9e4-46ab-ac11-e167398859ea"
                    },
                    "value": "$accountname"
                }
            }
        },
        {
            "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
            "settingInstance": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "choiceSettingValue": {
                    "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
                    "children": [],
                    "settingValueTemplateReference": {
                        "settingValueTemplateId": "aa883ab5-625e-4e3b-b830-a37a4bb8ce01"
                    },
                    "value": "device_vendor_msft_laps_policies_passwordcomplexity_4"
                },
                "settingDefinitionId": "device_vendor_msft_laps_policies_passwordcomplexity",
                "settingInstanceTemplateReference": {
                    "settingInstanceTemplateId": "8a7459e8-1d1c-458a-8906-7b27d216de52"
                }
            }
        },
        {
            "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
            "settingInstance": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
                "settingDefinitionId": "device_vendor_msft_laps_policies_passwordlength",
                "settingInstanceTemplateReference": {
                    "settingInstanceTemplateId": "da7a1dbd-caf7-4341-ab63-ece6f994ff02"
                },
                "simpleSettingValue": {
                    "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
                    "settingValueTemplateReference": {
                        "settingValueTemplateId": "d08f1266-5345-4f53-8ae1-4c20e6cb5ec9"
                    },
                    "value": 20
                }
            }
        },
        {
            "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
            "settingInstance": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                "choiceSettingValue": {
                    "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
                    "children": [],
                    "settingValueTemplateReference": {
                        "settingValueTemplateId": "68ff4f78-baa8-4b32-bf3d-5ad5566d8142"
                    },
                    "value": "device_vendor_msft_laps_policies_postauthenticationactions_1"
                },
                "settingDefinitionId": "device_vendor_msft_laps_policies_postauthenticationactions",
                "settingInstanceTemplateReference": {
                    "settingInstanceTemplateId": "d9282eb1-d187-42ae-b366-7081f32dcfff"
                }
            }
        }
    ],
    "technologies": "mdm",
    "templateReference": {
        "templateId": "adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1"
    }
}
"@


$lapspolicy = Invoke-MgGraphRequest -Method POST -Uri $lapsurl -Body $lapsjson -ContentType "application/json" -OutputType PSObject

write-host "LAPS Policy created, assigning to all devices"

$lapspolicyid = $lapspolicy.id

$lapsassignurl = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$lapspolicyid/assign"

$lapsassignjson = @"
{
    "assignments": [
        {
            "target": {
                "@odata.type": "#microsoft.graph.allDevicesAssignmentTarget"
            }
        }
    ]
}
"@


Invoke-MgGraphRequest -Method POST -Uri $lapsassignurl -Body $lapsassignjson -ContentType "application/json"

write-host "LAPS Policy assigned to all devices"

write-host "Completed, disconnecting from Graph"

Disconnect-MgGraph