Enable/Disable User must Change password at next logon using Intune

Photo of author
Jatin Makhija
1

You can configure User must Change password at next logon flag for a local user account using Intune. If you enable this setting, it forces a user to change their password when they try to log in to the device next time.

You may want to disable or Uncheck the setting, User must Change password at next logon, so that it does not force a user to change their password the next time they log on to the device.

In this blog post, I will show you how to configure this setting on a local machine using the Intune admin center. I will use the Powershell script to configure this setting for target devices.

User must change password at next logon setting disable for a local user cloudinfra101
User must change password at next logon setting disable for a local user cloudinfra101

There are many ways to deploy a Powershell script using Intune. You can use Intune device remediations or deploy a Powershell script using Device > Scripts and remediations > Platform scripts from the Intune admin center. We are going to use the Powershell script deployment method.

I’ll be using scripts from a blog post that explains how to control the User must Change password at next logon setting using PowerShell. The blog offers two scripts for this purpose, one to disable and the other to enable this setting for local user accounts on Windows 10/11 devices.

Note

STEP 1 – Prepare a Powershell script

Example: The PowerShell script will uncheck the User must Change password at next logon flag for the local user account named cloudinfra101.

It’s best practice to test any code on a local test device before deploying it to your target devices. Once you’ve confirmed that the code is functioning as expected, you can create a PowerShell script file, paste it into it, and save it with a .ps1 extension.

  • Copy the Powershell code below in a file called DisableChangePassword.ps1. Replace the name of the local user account from cloudinfra101 with the user account you want to configure.
<#
.DESCRIPTION
    This script disables "User must Change password at next logon" flag
    for a specified local user account
    Author: Jatin Makhija
    Website: cloudinfra.net
    Version: 1.0.0
#>
# Bind to the local user account
$usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user"
# Set the 'PasswordExpired' property to 0 disable "User must Change password at next logon"
$usr.PasswordExpired = 0
# Save the changes
$usr.SetInfo()
# Optionally, display a message indicating the change was made
Write-Host "The password expiration status for user 'cloudinfra101' has been updated."

STEP 2 – Deploy the Powershell script

After you’ve tested the PowerShell script and it’s ready for deployment, the next step is to create a deployment using the Intune admin center. Here are the steps to guide you through the deployment process:

  • Sign in to the Intune admin center
  • Go to Device > Scripts and remediations > Platform scripts.
  • Click on + Add and then Select Windows 10 and later

Basics

On the basics tab, Provide a Name and Description. For Example:

  • Name: Disable User must Change password at next logon for Cloudinfra101
  • Description: Disable User must Change password at next logon for Cloudinfra101 local user account

Script settings

You must select your Powershell script on the Script settings tab and configure how it should execute on the target devices.

  • Script location – Select the Powershell script that you want to deploy
  • Run this script using the logged on credentials – Change it to No
  • Enforce script signature check – Change it to No
  • Run script in 64 bit PowerShell Host – Change it to Yes
Add a powershell script on Intune admin center
Add a PowerShell script on the Intune admin center

Assignments

Click on Add groups and add an Entra security group containing Windows devices.

Assign a powershell script on Intune admin center
Powershell script assignment

Review + add

The final step is to review the information and click Add to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End-user Experience

On the target device, a PowerShell script deployed via Intune will initially be downloaded to the device at the following location: C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts before execution.

After the download, the script is executed. It’s important to note that the scripts downloaded to the device will be automatically deleted after execution, so you may find this folder empty once the script has been run.

The script will be executed in the system context since we’ve selected Run this script using the logged-on credentials as No. while creating the deployment.

To verify whether the PowerShell script we deployed has been executed on the target devices, we can check the flag User must Change password at next logon is Unchecked for cloudinfra101 user account.

User must change password at next logon setting disable for a local user cloudinfra101

Enable “User must Change password at next logon” flag for a local user account using Powershell script

You can enable the User must Change password at next logon flag with the following PowerShell script. This script sets or checks the flag for a local user account. PasswordExpired value to 1 will ensure that the flag is set. $usr.PasswordExpired = 1.

DisableChangePassword.ps1

<#
.DESCRIPTION
    This script enables "User must Change password at next logon" flag
    for a specified local user account
    Author: Jatin Makhija
    Website: cloudinfra.net
    Version: 1.0.0
#>
# Bind to the local user account
$usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user"
# Set the 'PasswordExpired' property to 1 to enable "User must Change password at next logon"
$usr.PasswordExpired = 1
# Save the changes
$usr.SetInfo()
# Optionally, display a message indicating the change was made
Write-Host "The password expiration status for user 'cloudinfra101' has been updated."

You can verify the PowerShell script execution status by inspecting the Intune Management Extension logs. Let’s check the steps:

  • Navigate to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
  • Please find the most recent IntuneManagementExtension.log file and open it
  • The best way to open .log files is by using a CMTrace tool.
  • Search for Policy ID and check Policy result. As you can see Policy result is showing as Success for this deployment.
Powershell script deployment in IntuneManagementExtension.log logs
Powershell script deployment in IntuneManagementExtension.log logs

Conclusion

In this blog post, we’ve learned how to enable or disable the User must Change password at next logon flag for a local user account on Windows 10 or Windows 11 devices. To prevent script failure, ensure the specified local user account exists on the target devices.

1 thought on “Enable/Disable User must Change password at next logon using Intune”

  1. This doesn’t seem to work anymore. I am getting below error when I tried to run the script in Powershell
    Exception calling “setInfo” with “0” argument(s): “Logon Failure: EAS policy requires that the user change their password before
    this operation can be performed.

    Reply

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.