Create a local user account via Windows 10 MDM

This blog post uses the Accounts configuration service provider (CSP), to create a local user account on Windows 10 devices. This area was added in Windows 10, version 1803, which is currently available as Insider Preview build.

This week is all about creating local user accounts via Windows 10 MDM. That can for example make life a bit easier with troubleshooting an offline device. A fallback account. In this post I’ll show how this can be achieved by using the Accounts CSP. I’ll show the available nodes and I’ll show how to configure them. I’ll end this post by showing the end-user experience. Also, spoiler alert, it’s good to note that this is not a pretty administrator experience at this moment, but I’m pretty sure that will be fixed when it’s a built-in configuration in Microsoft Intune.


Let’s start by having a look at the tree of the Accounts CSP.

Available nodes

The Accounts CSP contains nodes for renaming a computer account and for the creation of a user account. To get a better understanding of the different nodes, it’s good to walk through the available nodes. Specifically those related to user accounts, as those are the subject of this post. Let’s go through those related nodes.

  • .Device/Vendor/MSFT/Account – Defines the root node for the Accounts CSP;
  • Users – Defines the interior node for the user account information;
  • [UserName] – Defines the username of the new local user account;
  • Password – Defines the password for the new local user account;
  • LocalUserGroup – Defines the local user group for the new local user account.

Configurable nodes

There are basically two configurable nodes related to the creation of a local user account. The Password node and the LocalUserGroup node. The [UserName] node should contain the username and can be anything. The table below provides an overview of the configurable nodes.

Node Value Description


This required setting allows the administrator to set the password for the new local administrator account.
LocalUserGroup Integer
1 – (Default) Users
2 – Administrators
This optional setting allows the administrator to control the local user group of the new local administrator account.

Note: The password value can be any valid string and is visible as plaintext in the Azure portal.


Now let’s continue by having a look at the required and optional configuration to create a local user account on the device. In other words, create a device configuration profile with the previously mentioned custom OMA-URI settings. The following three steps walk through the creation of that device configuration profile. After that simply assign the created profile to a user or device group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b and 3c.

LU_PasswordOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/TestUser/Password;
  • Data type: Select String;
  • Value: P@ssw0rd!.

LU_GroupOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/TestUser/LocalUserGroup;
  • Data type: Select Integer;
  • Value: 2.

Note: At some point in time this configuration will probably become available in the Azure portal without the requirement of creating a custom OMA-URI.

End-user experience

Let’s end this post by having a quick look at the end-user experience. There’s actually not that much to be shown. Only the created account. Below on the left is a screenshot of the default configuration of the created user account, including the full name, and below on the right is a screenshot of the group memberships of the created user account.

TestUser01 TestUser02

Note: The reporting in the Azure portal still provides me with a remediation failed error message, while the actual account creation was a success.

More information

For more information about the Accounts CSP, refer to this article named Accounts CSP.

43 thoughts on “Create a local user account via Windows 10 MDM

  1. Thanks for sharing Peter. Especially the ‘Domain/ComputerName’ is a very nice CSP for renaming all those Autopilot desktop-guid devices!

  2. Does this work only on Windows 10 1803? If not, then it does not appear to be working. I noticed the “; ” at the end of the OMA-URI. Should that be there?

  3. Werkt goed.

    Alleen jammer dat het wachtwoord niet wordt aangepast als het account al bestaat op het device. Het werkt dus niet al password – changer voor reeds bestaande accounts.

  4. Hi Jan,

    I’ll switch to English. This is indeed only for creating new accounts and not for changing the password of existing accounts. If you want to manage something about the builtin administrator and guest account, you can use the Endpoint protection policy.

    Regards, Peter

  5. Hi Peter,

    Is there a way to either set the password not to expire or set an expiry time (e.g. 90 days)?

  6. Also just noticed that the Integer value of 2 does not place this newly created account into the Administrators group, just the User group. Please advise.

  7. Another odd bit is that this account does not appear on the login screen. I have done this with PowerShell and I am able to set the expiry, Administrator group, this account appears as a listed account at the login screen. So I am not sure why this one does not.

  8. Hi Peter,

    Please disregard my post in regards to the account not being placed in the local Administrators group. Found a typo in my OMA-URI. However, the other issues are still open.

  9. Hi Peter,
    Is there any way we can set the new account created not to enforce for changing the password for initial login?

  10. Thanks Peter for quick reply.
    I was trying for PS Script but unlucky to accomplish the task since the machine is not joined in AD(Auto pilot – AAD Device) , i am unable to execute the below code.
    Set-ADUser -ChangePasswordAtLogon:$True.
    I have also checked win32_useraccount class and could see only below options for the object “passwordchnagable \ passwordexpires\passwordrequired”
    Could you please suggest me some useful links or your thoughts to achieve ?

  11. Hi Nigelb,
    Theoretically, yes, but practically it might be challenging with policy orders. If it’s for Kiosk mode, I’m planning a post on that subject this week.
    Regards, Peter

  12. There seems to be some issues with this in 1709, it automatically logs you into the admin account every time you restart. IT seems to work fine with 1803

  13. Hello,

    Let Me begin by saying — Thank you for great articles, have helped us very much.

    We applied this new profile, but we have issues with actually login into these local users. Only workaround I found was to manually “reset” password from lusrmgr.msc for the user to one from policy. If we try to logon without manually setting it, just getting classic incorrect username or password.

    Any ideas?

  14. Hello again,

    Figured out the issue – password string was modified after initial profile creation and password “change” in Intune does not sync.

    However, a new question arose – can you remove these local accounts for all devices from Intune? Looking at the Accounts CSP article, and only supported function was ”Add”.

  15. Hello Peter,

    Yes, simple PS published to to all devices via Intune resolved the issue.

    However Account CSP is not as “admin/user friendly” as one would wish, for instance, if you rename the account in CSP profile it will create a new user object and not update the existing one. So good thing to remember for less experienced Intune-rs.

    But thank you for all the pointers. Keep up the good job 🙂

  16. Hi Peter,

    A compliance policy seems to be the reason it got enabled in the first place. I disabled that and from now on the local admin is created without the “Change pw at logon” enabled.

  17. I’m having the same issue with the local admin being created with the “User must change password at next logon” enabled. If you could provide what setting caused this issue that would be great!

  18. Hi ,
    I’ve assumed somebody knows the exact which settings causes problems.

    Anyway, I’ve found old cmd : net user username logonpasswordchg:{yes | no}

    But it fails with the:
    System error 1938 has occurred.

    Logon Failure: EAS policy requires that the user change their password before this operation can be performed.

  19. The complaince policy setting that caused it was ”require password”, IF i remember correctly. Ill get back tomorrow

  20. Hello again,

    Back at it again, seems like with recent updates to either OS or Intune, Accounts CSP has become broken for us.

    It was working fine until recently, now when attempting, f.example, running Program “Run as Different User ” with that account returns errror – “Account restrictions are preventing this user from signing in. For example: blank passwords aren’t allowed, sign-in times are limited, or a policy restrictions has been enforced.”

    Safe to mention that any policy restrictions hasn’t been made from our side.

    Any ideas or anyone else is experiencing same issue?

  21. Anyone solve for prompting to change password using this method.? Read the comments and didnt see if anyone had worked around this

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.