PreStage Managed Local Admin account, Secure Token, Bootstrap Token and LAPS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Despite documentation that seem to indicate that Bootstrap Tokens are automatically escrowed when using ADE, it still requires an admin to log in for the first time for this to happen. In order to force it, we are using scripts during Enrollment to create and activate a Secure Token for the Managed Local Admin account created during PreStage with a known password. Once it is created, the Bootstrap Token is escrowed by another script also during Enrollment. For both scripts, we pass the known password for the admin account as a parameter.
So we've now achieved our requirement to have computer labs' Bootstrap Tokens escrowed during Enrollment without an admin having to physically go to each lab PC and logging in.
However, we're concerned about the Managed Local Admin account having a fixed password. If we enable LAPS on the Managed Local Admin account, will there be any potential issues? The way we see it, the known password will just be used twice during Enrollment when the Secure Token is generated and the Bootstrap Token is escrowed. However, we're worried that we cannot make sure that LAPS will not change the password until after the 2 scripts have run.
Have anyone else done this or something similar?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
@Manon StuffYourKindledDaywrote:
Despite documentation that seem to indicate that Bootstrap Tokens are automatically escrowed when using ADE, it still requires an admin to log in for the first time for this to happen. In order to force it, we are using scripts during Enrollment to create and activate a Secure Token for the Managed Local Admin account created during PreStage with a known password. Once it is created, the Bootstrap Token is escrowed by another script also during Enrollment. For both scripts, we pass the known password for the admin account as a parameter.
So we've now achieved our requirement to have computer labs' Bootstrap Tokens escrowed during Enrollment without an admin having to physically go to each lab PC and logging in.
However, we're concerned about the Managed Local Admin account having a fixed password. If we enable LAPS on the Managed Local Admin account, will there be any potential issues? The way we see it, the known password will just be used twice during Enrollment when the Secure Token is generated and the Bootstrap Token is escrowed. However, we're worried that we cannot make sure that LAPS will not change the password until after the 2 scripts have run.
Have anyone else done this or something similar?
Your approach to automatically escrow Bootstrap Tokens during ADE enrollment using a temporary known admin password is a common workaround. The main concern with enabling LAPS on this admin account is ensuring your scripts to generate the Secure Token and escrow the Bootstrap Token run *before* LAPS rotates the password. Prioritize robust and early-executing scripts during enrollment, thoroughly test the entire workflow with LAPS enabled in a controlled environment, and consider MDM settings that might influence the order of operations or delay policy application. While others have likely implemented similar solutions, careful timing and testing are crucial for success.
