Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Create a Scheduled Task to Automatically Update the Latest Version of BPP Express

***Please note that this only works in Password Policy 7.8 or higher***

One of the major benefits of implementing Specops Password Policy and Breached Password Protection is having a local database on your Domain Controller’s (DC) that can prevent your users from using a commonly used or recently leaked breached password.

This comes in the form of the Specops Breached Password Protection Express database which is located on the SYSVOL share of each DC.

The database is updated approximately 6 times per year, based on telemetry from our Complete database and also if there were any high-profile data breaches that involved compromised passwords.

In the past the download of the update was always a manual option for customers, but we have now implemented some PowerShell commands that can help our customers automate this process using the Task Scheduler built into Windows Operating Systems

First of all we have some prereqs for the machine the task will run on:

The PowerShell commandlets are installed along with the Specops Password Policy 7.8 release as part of the admin tools. We require PowerShell 5.1 to be installed, so make sure that you install the Specops Admin tools on the server running the task.

The powershell script and commands themselves are very simple, I’ve added some logging and also a check to make sure we’re using a secure TLS connection in the script below.

#sets TLS to 1.2 if not already set by default

[System.Net.ServicePointManager]::SecurityProtocol ='Tls12'

#Get's current version from SYSVOL and writes to a log file

Get-PasswordPolicyBppExpressList|out-file c:\temp\log.txt -Append

#Downloads Latest version (if needed) locally and then uploads to the SYSVOL volume of the closest DC, logs results to the same file as above

Update-SppBppExpressList|out-file c:\temp\log.txt -Append

Save the script as a .PS1 file e.g. C:\BPP\BPPUpdate.ps1

Open Task Scheduler and go to the folder where you want to create your task and click Create New Task. On the General tab, specify a user/service account that is able to:

  • -write to the SYSVOL share
  • granted “logon as a batch job” rights to the server running the task
  • Write permissions to the folder where you are writing the log file

On the Trigger Tab, choose a Daily run at a time that is typically quiet on the network. Think about when your backups and other tasks that might run though, and maybe add a random variance of an hour if that makes sense:

Finally on the Actions tab choose to “start a program”, the program is called powershell and the command line argument is “-File <location and name of your ps1 script> e.g. C:\BPP\BPPupdate.ps1

Click OK to save your settings, you’ll be prompted to enter the password of the account you chose.

To test, just right click on the task and choose run, you can then check the contents of the log file (you can also use Task Manager to check the network activity, it’ll be busy while it downloads the 6+ GB of data)

Hopefully this article will prove helpful for some of you, but as a final word of caution don’t forget to monitor the disk space of your SYSVOL volume of all your DC’s as you don’t want to run out of space due to an automated process.

Publication date: February 17, 2023
Modification date: January 14, 2025

Was this article helpful?

Related Articles