Important Feature Change: Password change with GPO’s no longer possible KB2962486/KB2928120/KB2961899 – Part 3

In part three of this post series, we will create the ConfigMgr Settings Item to generate new passwords on the devices on a regular schedule. It is also possible to run the PowerShell script with a scheduled task, but for now I will show the implementation with ConfigMgr.

Part 1 – Background Information

Part 2 – Solution Overview and installing netECM:MiniWebservice

Part 3 – Creating ConfigMgr Compliance Settings Item (This Post)

Part 4 – Retrieve the passwords with PowerShell

Prerequisites

First we need a new Private/Public key pair. You can generate them with the following script:

$KeyLength = 2048 # Valid Values are 1024, 2048, 4096
$RSAPROV = New-Object -TypeName 'System.Security.Cryptography.RSACryptoServiceProvider' -ArgumentList $KeyLength
Write-Host "Public Key:" -ForegroundColor Red
$RSAPROV.ToXmlString($false)
Write-Host "Public and Private Key:" -ForegroundColor Red
$RSAPROV.ToXmlString($true)

You can change the key length, but 2048 should be enough for the moment. We will need the generated strings later in our scripts so let this console open or save the keys to your local password safe.

Script Flow Chart

The following diagram will illustrate the actions of the PowerShell script which is implemented in the compliance settings item.

Password Management

Create ConfigMgr Configuration Item

image Start the ConfigMgr Console and create a configuration item under compliance settings.
image Define a name of the configuration item. I choose “Enable Random Admin Password” as name. Then click next.
image On this page you can restrict the item to specific operating systems. Disable Windows XP and Server 2003, because the script is not tested there.
image Create a new Setting.
image The name can be “SetAdminPassword” and the description is optional.
As setting type you have to choose Script and Date Type should be String.

Then click on Edit Script in the Discovery script section.

image As script language choose Windows PowerShell and paste this script to the editor window.

IMPORTANT:
Change the $publickey variable to your publickey (generated in the prerequisites step)
Modify the $pwlength to specify the length of the generated passwords. Default is 24 signs.
Then you have also to specify the FQDN of the server on which the netECM:MiniWebService is installed.

image Then jump to the Compliance Rules register and add a new rule.
image Define the compliance rule as specified in the screenshot.
image Next…
image Next…Next…OK

Create ConfigMgr Configuration Baseline

To deploy the configuration item, we have to create a baseline first.

image Start the Create Configuration Baseline wizard.
image Add your newly created configuration item and set a name for the configuration baseline.

Then close the wizard with a press on ok.

Deploy Baseline to Devices

The next step is to deploy the baseline to devices. You can right click on the baseline and click deploy.

image The baseline should already be added. So you only have to choose the correct collection and the interval of the password change. In my environment I change the password every 14 days.

Check the Complinace on a device

Now we would like to check the status on a device, which is in the collection we choosed in the last step.

image Start a machine policy download and evaluation cycle to get the configuration item.
image Then click refresh on the configurations tab.
image If the compliance state is unknown, then click on evaluate and wait until the setting is Compliant.

Check the result in MiniWebService

imageNow the encrypted password is saved in the netECM:MiniWebService property store. Navigate to the installation directory and open the propstore folder. There you will find a file for each device, which has reported a password back.

Part 4 will explain how you can get the passwords back from and use them.

Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I’m a consultant, trainer and architect for workplace management and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

MCSEMCTCMCE
Thomas Kurth
Follow me

Latest posts by Thomas Kurth (see all)