KB – Change a local user password via CSP

Recently we got a question from a customer how to manage Windows local account passwords via UEM.
Microsoft does not provide any native CSP for this, so we need a PowerShell script for changing the password. This will also provide some more flexibility when you want to change a different user as the local Administrator account.

My colleague Camille posted a great article how to deploy PowerShell scripts via CSP here.

I used this information to try to set the password with this PowerShell command:

Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1

This command works great on the device itself but did not work in the CSP like this:

<wap-provisioningdoc id=“b0774572-29ec-4015-8bde-8f0281682f1b” name=“customprofile”>
  <characteristic type=“com.airwatch.winrt.powershellcommand” uuid=“f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd”>
    <parm name=“PowershellCommand” value="Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1"/>
  </characteristic>
</wap-provisioningdoc>

This will cause an error and the CSP will not apply successfully.

Frist, you need to add the sysnative path of PowerShell to use the 64 Bit version of PowerShell – since the Intelligent HUB is running in 32 Bit.

&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe

Second, you need to add the “-command” parameter to the command line:

-command Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}

This will still fail – since we need to escape the code from the XML code. There are simple websites where you can copy paste the code and escape it. For example here.

So, the final CSP looks like this:

<wap-provisioningdoc id=“b0774572-29ec-4015-8bde-8f0281682f1b” name=“customprofile”>
  <characteristic type=“com.airwatch.winrt.powershellcommand” uuid=“f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd”>
    <parm name=“PowershellCommand” value=“&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe
 -command "Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}"“/>
  </characteristic>
</wap-provisioningdoc>

To make it even more flexible, you can use Custom Attributes for defining the password – just replace the “Password” with the variable like e.g. “{CustomAttribute1}”

<wap-provisioningdoc id=“b0774572-29ec-4015-8bde-8f0281682f1b” name=“customprofile”>
  <characteristic type=“com.airwatch.winrt.powershellcommand” uuid=“f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd”>
    <parm name=“PowershellCommand” value=“&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe
 -command "Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString {CustomAttribute1} -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}"“/>
  </characteristic>
</wap-provisioningdoc>

Now you can full control the password by one setting without providing the password in cleartext in the CSP.

The final CSP

Written by

EUC Customer Success Architect at | + posts

Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.

EUC Staff Customer Success Architect at VMware | Website | + posts

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch 6 years ago.

2 thoughts on “KB – Change a local user password via CSP

  • Oliver
    2021-06-22 at 12:19

    Hi,
    Your code examples in this page are empty. Is there something wrong with your website?

    • Grischa Ernst
      2021-06-22 at 17:20

      Hey Oliver,

      yeah Website seems to be broken. We are working on it!

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Theme BCF By aThemeArt - Proudly powered by WordPress .
BACK TO TOP