KB – Change a local user password via CSP

Recently we got a question from a customer how to manage Windows local account passwords via UEM.
Microsoft does not provide any native CSP for this, so we need a PowerShell script for changing the password. This will also provide some more flexibility when you want to change a different user as the local Administrator account.

My colleague Camille posted a great article how to deploy PowerShell scripts via CSP here.

I used this information to try to set the password with this PowerShell command:

Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1

This command works great on the device itself but did not work in the CSP like this:

<wap-provisioningdoc id=“b0774572-29ec-4015-8bde-8f0281682f1b” name=“customprofile”>
  <characteristic type=“com.airwatch.winrt.powershellcommand” uuid=“f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd”>
    <parm name=“PowershellCommand” value="Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1"/>
  </characteristic>
</wap-provisioningdoc>

This will cause an error and the CSP will not apply successfully.

Frist, you need to add the sysnative path of PowerShell to use the 64 Bit version of PowerShell – since the Intelligent HUB is running in 32 Bit.

&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe

Second, you need to add the “-command” parameter to the command line:

-command Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}

This will still fail – since we need to escape the code from the XML code. There are simple websites where you can copy paste the code and escape it. For example here.

So, the final CSP looks like this:

<wap-provisioningdoc id="b0774572-29ec-4015-8bde-8f0281682f1b" name="customprofile">
  <characteristic type="com.airwatch.winrt.powershellcommand" uuid="f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd">
    <parm name="PowershellCommand" value="&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe
 -command "Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}""/>
  </characteristic>
</wap-provisioningdoc>

To make it even more flexible, you can use Custom Attributes for defining the password – just replace the “Password” with the variable like e.g. “{CustomAttribute1}”

<wap-provisioningdoc id="b0774572-29ec-4015-8bde-8f0281682f1b" name="customprofile">
  <characteristic type="com.airwatch.winrt.powershellcommand" uuid="f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd">
    <parm name="PowershellCommand" value="&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe
 -command "Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString {CustomAttribute1} -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}""/>
  </characteristic>
</wap-provisioningdoc>

Now you can full control the password by one setting without providing the password in cleartext in the CSP.

The final CSP
Written by
+ posts

Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.

Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

4 thoughts on “KB – Change a local user password via CSP

  • Oliver
    2021-06-22 at 12:19

    Hi,
    Your code examples in this page are empty. Is there something wrong with your website?

    • Grischa Ernst
      2021-06-22 at 17:20

      Hey Oliver,

      yeah Website seems to be broken. We are working on it!

  • Milo
    2022-07-21 at 21:12

    Hi, how I have added the xml to a custom profile, and assigned it to a group. How do I reset the password of a user now?

    • Patrick Zoeller
      2023-01-03 at 11:15

      Hi Milo,
      As you define the Password or the Content of the Password within the Custom Profile this then used as Password. Just follow the Blog here.
      best regards
      Patrick

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP