Change Local admin password from Intune

Giuliano 41 Reputation points
2021-10-29T02:45:34.233+00:00

Hello,

I have a few devices enrolled in Intune and they all have already the same local admin (created when I installed Windows 10 before the Intune enrollment).

I'm trying to figure out how to change the local admin password from Intune.

I created a configuration profile and put this OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/adminname/Password

Data type "string" and in the value box the new password.

But it doesn't take effect.

Also, I noticed in the client machine's event log the errors 404, one of these contains 9not sure if it's related):

MDM ConfigurationManager: Command failure status. Configuration Source ID: (0B9BC35A-FBBB-4737-A3A2-74DC7D0C8D4F), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

I forgot to mention the error message in Intune:

-2016281112 (Remediation failed)

Do I have to create a new local admin from scratch?

Thank you

Giuliano

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,321 questions
0 comments
Accepted answer
  1. Crystal-MSFT 42,956 Reputation points Microsoft Vendor
    2021-10-29T06:47:15.29+00:00

    @Giuliano , Thanks for posting in our Q&A. In the CSP description, it mentioned that this is only for a new local user account. which means we can use it with "./Device/Vendor/MSFT/Accounts/Users/UserName" when we create a new local user.
    144875-image.png
    https://learn.microsoft.com/en-us/windows/client-management/mdm/accounts-csp

    Your understanding is correct. We can create a new local admin account as a workaround. Or we can deploy a PowerShell script to change the local user password. Here the commands we can try
    Note: Please change the password value you want. 

    $Password = ConvertTo-SecureString "Password value" -AsPlainText -Force  
$UserAccount = Get-LocalUser -Name "admin"  
$UserAccount | Set-LocalUser -Password $Password

    Edit with the commands test.
    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Jindal [MVP] 9,141 Reputation points MVP
    2021-10-29T07:43:15.233+00:00

    Remediation failed is a known issue against this CSP for a long time. I don't think it has been fixed as yet. Question is whether the password actually changes or not. Have you tried out the new password that you are setting? If you need some references then you can check out the link below.

    intune-different-ways-of-setting-local.html

  2. Boyan Biandov 1 Reputation point
    2022-07-01T15:05:21.947+00:00

    This is a paste from my working script; InTune still reports it as failed but the outcome is just as expected meaning the password is changed and all other tasks carried out, ignore the power config stuff...

    set-executionpolicy unrestricted
    powercfg /setacvalueindex scheme_current sub_buttons lidaction 0
    powercfg /setdcvalueindex scheme_current sub_buttons lidaction 0
    powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
    powercfg -setdcvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0

    powercfg /setactive scheme_current
    powercfg -change -standby-timeout-ac 0
    powercfg -change -hibernate-timeout-ac 0

    Enable-LocalUser -Name "Administrator"
    Set-LocalUser -Name "Administrator" -PasswordNeverExpires $True
    Set-LocalUser -Name "Administrator" -Password (ConvertTo-SecureString -String 'IkL#helloworld' -AsPlainText -Force)

  3. Rudy Ooms 596 Reputation points
    2022-07-02T09:07:24.103+00:00

    When configuring that username and password with the csp you will always run into remediation errors as explained here

    https://call4cloud.nl/2021/12/i-kill-remediation-errors/

    You could use powershell as other mentioned... but please make sure you configure it as 64.. as explained here why :)

    https://call4cloud.nl/2020/03/remove-all-local-admins/#part3

    0 comments
  4. RaKu 41 Reputation points
    2022-09-29T13:06:41.213+00:00

    Question

    Can Intune set a password for a user that if storeg in a keyvault ?

    I want to rename the local admin account and set a password thats will in the vault

    Can I do it in Intune ?

    0 comments