Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Create a Scheduled Task to Automatically Update the Latest Version of BPP Express

***Please note that this only works in Password Policy 7.8 and greater***

One of the major benefits of implementing Specops Password Policy and Breached Password Protection is having a local database on your Domain Controller’s (DC) that can prevent your users from using a commonly used or recently leaked breached password.

This comes in the form of the Specops Breached Password Protection Express database which is located on the SYSVOL share of each DC. The database itself contains just over 900 million of the most common used and most recently publicly released breached password lists from all over the globe.

The database is roughly 6 Gigabytes in size, but can fluctuate, and is made up of 256 smaller files. The reason we structure it in this way makes it faster to search and simpler to replicate for the Distributed File System that keeps the SYSVOL share you DC’s in sync.

The database is updated approximately 6 times per year, based on telemetry from our Complete database and also if there were any high-profile data breaches that involved compromised passwords.

In the past the download of the update was always a manual option for customers, but we have now implemented some PowerShell commands that can help our customers automate this process using the Task Scheduler built into Windows Operating Systems

First of all we have some prereqs

The PowerShell commandlets are installed along with the Specops Password Policy 7.8 release as part of the admin tools. We require PowerShell 5.1 or above to be installed, so make sure that you install the Specops Admin tools on the server running the task.

The powershell script and commands themselves are very simple, I’ve added some logging and also a check to make sure we’re using a secure TLS connection in the script below.

#sets TLS to 1.2 if not already set by default

[System.Net.ServicePointManager]::SecurityProtocol ='Tls12'

#Get's current version from SYSVOL and writes to a log file

Get-PasswordPolicyBppExpressList|out-file c:\temp\log.txt -Append

#Downloads Latest version (if needed) locally and then uploads to the SYSVOL volume of the closest DC, logs results to the same file as above

Update-SppBppExpressList|out-file c:\temp\log.txt -Append

Save the script as a .PS1 file e.g. C:\BPP\BPPUpdate.ps1

Open Task Scheduler

  1. Click Specify a folder where you want to create your task and click Create Task, On the General tab specify a user/service account that is able to write to the SYSVOL share, granted “logon as a batch job” rights to the server running the task and also granted Write permissions to the folder where you are writing the log file, it doesn’t have to be administrator, but it will need these delegated permissions.

On the Trigger Tab, choose a Daily run at a time that is typically quiet on the network. Think about when your backups and other tasks that might run though, and maybe add a random variance of an hour if that makes sense:

Finally on the Actions tab choose to “start a program”, the program is called powershell and the command line argument is “-File <location and name of your ps1 script> e.g. C:\BPP\BPPupdate.ps1

Click OK to save your settings, you’ll be prompted to enter the password of the account you chose.

To test, just right click on the task and choose run, you can then check the contents of the log file (you can also use Task Manager to check the network activity, it’ll be busy while it downloads the 6+ GB of data)

Hopefully this article will prove helpful for some of you, but as a final word of caution don’t forget to monitor the disk space of your SYSVOL volume of all your DC’s as you don’t want to run out of space due to an automated process.

February 17, 2023

Was this article helpful?

Related Articles