You can configure User must Change password at next logon flag for a local user account using Intune. If you enable this setting, it forces a user to change their password when they try to log in to the device next time.
You may want to disable or Uncheck the setting, User must Change password at next logon, so that it does not force a user to change their password the next time they log on to the device.
In this blog post, I will show you how to configure this setting on a local machine using the Intune admin center. I will use the Powershell script to configure this setting for target devices.
There are many ways to deploy a Powershell script using Intune. You can use Intune device remediations or deploy a Powershell script using Device > Scripts and remediations > Platform scripts from the Intune admin center. We are going to use the Powershell script deployment method.
I’ll be using scripts from a blog post that explains how to control the User must Change password at next logon setting using PowerShell. The blog offers two scripts for this purpose, one to disable and the other to enable this setting for local user accounts on Windows 10/11 devices.
Note
Table of Contents
STEP 1 – Prepare a Powershell script
Example: The PowerShell script will uncheck the User must Change password at next logon flag for the local user account named cloudinfra101.
It’s best practice to test any code on a local test device before deploying it to your target devices. Once you’ve confirmed that the code is functioning as expected, you can create a PowerShell script file, paste it into it, and save it with a .ps1 extension.
- Copy the Powershell code below in a file called DisableChangePassword.ps1. Replace the name of the local user account from cloudinfra101 with the user account you want to configure.
<# .DESCRIPTION This script disables "User must Change password at next logon" flag for a specified local user account Author: Jatin Makhija Website: cloudinfra.net Version: 1.0.0 #> # Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 0 disable "User must Change password at next logon" $usr.PasswordExpired = 0 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
STEP 2 – Deploy the Powershell script
After you’ve tested the PowerShell script and it’s ready for deployment, the next step is to create a deployment using the Intune admin center. Here are the steps to guide you through the deployment process:
- Sign in to the Intune admin center
- Go to Device > Scripts and remediations > Platform scripts.
- Click on + Add and then Select Windows 10 and later
Basics
On the basics tab, Provide a Name and Description. For Example:
- Name: Disable User must Change password at next logon for Cloudinfra101
- Description: Disable User must Change password at next logon for Cloudinfra101 local user account
Script settings
You must select your Powershell script on the Script settings tab and configure how it should execute on the target devices.
- Script location – Select the Powershell script that you want to deploy
- Run this script using the logged on credentials – Change it to No
- Enforce script signature check – Change it to No
- Run script in 64 bit PowerShell Host – Change it to Yes
Assignments
Click on Add groups and add an Entra security group containing Windows devices.
Review + add
The final step is to review the information and click Add to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End-user Experience
On the target device, a PowerShell script deployed via Intune will initially be downloaded to the device at the following location: C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts before execution.
After the download, the script is executed. It’s important to note that the scripts downloaded to the device will be automatically deleted after execution, so you may find this folder empty once the script has been run.
The script will be executed in the system context since we’ve selected Run this script using the logged-on credentials as No. while creating the deployment.
To verify whether the PowerShell script we deployed has been executed on the target devices, we can check the flag User must Change password at next logon is Unchecked for cloudinfra101 user account.
Enable “User must Change password at next logon” flag for a local user account using Powershell script
You can enable the User must Change password at next logon flag with the following PowerShell script. This script sets or checks the flag for a local user account. PasswordExpired value to 1 will ensure that the flag is set. $usr.PasswordExpired = 1
.
DisableChangePassword.ps1
<# .DESCRIPTION This script enables "User must Change password at next logon" flag for a specified local user account Author: Jatin Makhija Website: cloudinfra.net Version: 1.0.0 #> # Bind to the local user account $usr = [ADSI]"WinNT://$env:ComputerName/cloudinfra101,user" # Set the 'PasswordExpired' property to 1 to enable "User must Change password at next logon" $usr.PasswordExpired = 1 # Save the changes $usr.SetInfo() # Optionally, display a message indicating the change was made Write-Host "The password expiration status for user 'cloudinfra101' has been updated."
Locate the Logs related to Intune deployed PowerShell script
You can verify the PowerShell script execution status by inspecting the Intune Management Extension logs. Let’s check the steps:
- Navigate to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
- Please find the most recent IntuneManagementExtension.log file and open it
- The best way to open .log files is by using a CMTrace tool.
- Search for Policy ID and check Policy result. As you can see Policy result is showing as Success for this deployment.
Conclusion
In this blog post, we’ve learned how to enable or disable the User must Change password at next logon flag for a local user account on Windows 10 or Windows 11 devices. To prevent script failure, ensure the specified local user account exists on the target devices.
This doesn’t seem to work anymore. I am getting below error when I tried to run the script in Powershell
Exception calling “setInfo” with “0” argument(s): “Logon Failure: EAS policy requires that the user change their password before
this operation can be performed.
“