You can configure “User must Change password at next logon” flag for a local user account using Intune. If you enable this setting, it forces a user to change their password when they try to login on the device next time.
You may want to disable or Uncheck this setting “User must Change password at next logon” so that It does not force a user to change its password, next time they login on the device.
In this blog post, I will show you how to configure this setting on a local machine by using Intune admin center. I would be using Powershell script to configure this setting on target devices.
There are many ways to deploy a powershell script using Intune. You can use Intune device remediations or you can simply deploy a Powershell script using Device > Scripts from Intune admin center. We are going to use Powershell script deployment method.
I would be using the scripts from the blog post: Enable/disable User must Change password at next logon setting using Powershell. There are two scripts provided in this blog post, One for disabling and another script for Enabling “User must Change password at next logon” flag for a local user account on Windows 10/11 devices.
Powershell script to disable “User must Change password at next logon” flag for a local user account
I would be using below powershell script to disable or Uncheck “User must Change password at next logon” flag for a local user account called cloudinfra101.
It’s always a best practice to test any code locally on a test device first before deploying it on target devices. After you are satisfied that the code is working fine as expected, copy and paste your powershell code in a file and save the file with .ps1.
<# .DESCRIPTION This script disables "User must Change password at next logon" flag for a specified local user account Author: Jatin Makhija Website: cloudinfra.net Version: 1.0.0 #> # Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 0 disable "User must Change password at next logon" $usr.PasswordExpired = 0 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
Steps to disable “User must Change password at next logon” using Intune
Once we have a powershell script tested and ready to deploy. We need to create a deployment from Microsoft Intune admin center. Please follow below steps to create the deployment:
- Login on Microsoft Intune admin center
- Go to Devices and then click on Scripts under Policy section
- Click on + Add and then Select Windows 10 and later
On the basics tab, Provide a Name and Description of the Powershell script deployment and the click on Next.
- Name: Disable User must Change password at next logon for Cloudinfra101
- Description: Disable User must Change password at next logon for Cloudinfra101 local user account
On Script settings tab you will need to select your powershell script and configure how it should execute on the target devices.
- Script location – Select the Powershell script which you want to deploy
- Run this script using the logged on credentials – Change it to No
- Enforce script signature check – Change it to No
- Run script in 64 bit PowerShell Host – Change it to Yes
Create an Azure AD Security group which contains users or devices where this powershell script needs to be deployed. If you prefer a more controlled deployment to specific devices only, then make sure to target only devices via Azure AD group. Once your testing is successful and you want to deploy this script on all Organization devices, you can click on + Add all devices.
I have added Cloudinfra Windows devices Azure AD group which contains Windows 10 and Windows 11 device where cloudinfra101 local user account already exists.
Review + add
Final step is to review the information and click on Add to start the deployment process.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start script deployment process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the script download and execution process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing this setting on a test device then this can speed up your testing and can save some time.
End user Experience
On target device, powershell script deployed via Intune will be first downloaded on the device at C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts location and then it gets executed. Scripts downloaded on the device will be deleted automatically after execution so you may find this folder empty.
If you want to retrieve this script from local device, then you have to be quick to copy the script file from above location before It gets deleted by Intune Management extension. I have provided the steps to retrieve your password scripts upload into Intune in another blog post: Retrieve Powershell scripts deployed via Intune.
Script will be executed in System context as we have selected Run this script using the logged on credentials as No. Let’s check if powershell script we deployed has been executed on the target devices.
In below screenshot, you can see that the flag “User must Change password at next logon” is Unset / Unchecked / Disabled for cloudinfra101 user account.
Powershell script to enable “User must Change password at next logon” flag for a local user account
You can also enable the flag “User must Change password at next logon” by using below powershell script. Using below script will will set or check the flag for local user account. Please note the only change in the script is to set password expired value to 1.
$usr.PasswordExpired = 1.
<# .DESCRIPTION This script enables "User must Change password at next logon" flag for a specified local user account Author: Jatin Makhija Website: cloudinfra.net Version: 1.0.0 #> # Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 1 to enable "User must Change password at next logon" $usr.PasswordExpired = 1 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
Where to find Logs related to this Powershell script deployed via Intune
After you have deployed this powershell script to disable the flag “User must Change password at next logon“. You can check the logs on the target devices by following below steps:
- Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs path and Open most recent version of IntuneManagementExtension.log file. You can use Date modified column to sort for the most recent file.
- Use deployment Id to jump to the the logs related to your powershell script deployment. To find Deployment ID of any deployment created from Intune, click on the deployment on Intune admin center and from web browser address bar copy the deployment Id.
In this blog post, we have seen how to Disable / Enable a flag “User must Change password at next logon” for a local user account on Windows 10 or Windows 11 devices. Please make sure that the local user account which you specify in the script is already existing on the target devices otherwise the script will fail.
If you want to troubleshoot Issues related to Powershell script deployment using Intune then you can refer to my blog post: How to deploy Powershell script using Intune. In the end of the blog post, I have provided the troubleshooting steps which will help with any powershell script deployment Issues via Intune.