We have all been there. Created a Machine Catalog, and a Delivery group from a the golden image. Wether we deploy a hundred VDI desktops, or a thousand Remote Desktop Session Hosts, the problem remains the same. They all have the same local administrator password. What does this mean? Well, if the bad guys manage to get a hold of that single password, then your entire Delivery Group has been compromised. The only way to “uncompromise” the fleet of workstations is to delete the entire Delivery Group and Machine Catalog, log into your golden image, and change the local admin password, and redeploy the Machine Catalog and the Delivery Groups. Not overly complicated, but it is a pain in the butt, and will impact your users.
Enter Microsoft Local Administrator Password Solution (LAPS).
A traditional LAPS deployment involves configuring a GPO, and deploying the LAPS client, however with non-persistent VDI, the approach needs to be a little different. Once LAPS has been installed on a VDI target, it will work similar to a physical desktop. Once. On reboot, the VDI is refreshed, and when it checks in with AD on boot it is not assigned a new random password for the local administrator account.
To resolve this issue, we need to run a little powershell script when the machine shuts down (script at the end of this post). This can be configured via GPO.
Write-Host “Retrieve current machine account”
$filter = “(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))”
$Object = ([adsisearcher]$filter).FindOne().GetDirectoryEntry()
Write-Host “Reset the password expiration timer to 0”
Write-Host “Save changes to Active Directory object”