KB – Change a local user password via CSP
Recently we got a question from a customer how to manage Windows local account passwords via UEM.
Microsoft does not provide any native CSP for this, so we need a PowerShell script for changing the password. This will also provide some more flexibility when you want to change a different user as the local Administrator account.
My colleague Camille posted a great article how to deploy PowerShell scripts via CSP here.
I used this information to try to set the password with this PowerShell command:
Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1This command works great on the device itself but did not work in the CSP like this:
<wap-provisioningdoc id=“b0774572-29ec-4015-8bde-8f0281682f1b” name=“customprofile”>
<characteristic type=“com.airwatch.winrt.powershellcommand” uuid=“f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd”>
<parm name=“PowershellCommand” value="Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1"/>
</characteristic>
</wap-provisioningdoc>This will cause an error and the CSP will not apply successfully.
Frist, you need to add the sysnative path of PowerShell to use the 64 Bit version of PowerShell – since the Intelligent HUB is running in 32 Bit.
&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exeSecond, you need to add the “-command” parameter to the command line:
-command Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "Password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}This will still fail – since we need to escape the code from the XML code. There are simple websites where you can copy paste the code and escape it. For example here.
So, the final CSP looks like this:
<wap-provisioningdoc id="b0774572-29ec-4015-8bde-8f0281682f1b" name="customprofile">
<characteristic type="com.airwatch.winrt.powershellcommand" uuid="f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd">
<parm name="PowershellCommand" value="&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe
-command "Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString "password" -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}""/>
</characteristic>
</wap-provisioningdoc>To make it even more flexible, you can use Custom Attributes for defining the password – just replace the “Password” with the variable like e.g. “{CustomAttribute1}”
<wap-provisioningdoc id="b0774572-29ec-4015-8bde-8f0281682f1b" name="customprofile">
<characteristic type="com.airwatch.winrt.powershellcommand" uuid="f060bc02-bc0d-4ff8-b5d7-3fdfd24274dd">
<parm name="PowershellCommand" value="&$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe
-command "Invoke-Command -ScriptBlock {Set-LocalUser -Name UserName -Password (ConvertTo-SecureString {CustomAttribute1} -AsPlainText -Force) -PasswordNeverExpires 0 -UserMayChangePassword 1}""/>
</characteristic>
</wap-provisioningdoc>Now you can full control the password by one setting without providing the password in cleartext in the CSP.
Empowering customers in client management since 2012.
Empowering customers in modern management since 2018.
vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.
Oliver
Hi,
Your code examples in this page are empty. Is there something wrong with your website?
Grischa Ernst
Hey Oliver,
yeah Website seems to be broken. We are working on it!
Milo
Hi, how I have added the xml to a custom profile, and assigned it to a group. How do I reset the password of a user now?
Patrick Zoeller
Hi Milo,
As you define the Password or the Content of the Password within the Custom Profile this then used as Password. Just follow the Blog here.
best regards
Patrick