Create a local user account via Windows 10 MDM

This blog post uses the Accounts configuration service provider (CSP), to create a local user account on Windows 10 devices. This area was added in Windows 10, version 1803, which is currently available as Insider Preview build.

This week is all about creating local user accounts via Windows 10 MDM. That can for example make life a bit easier with troubleshooting an offline device. A fallback account. In this post I’ll show how this can be achieved by using the Accounts CSP. I’ll show the available nodes and I’ll show how to configure them. I’ll end this post by showing the end-user experience. Also, spoiler alert, it’s good to note that this is not a pretty administrator experience at this moment, but I’m pretty sure that will be fixed when it’s a built-in configuration in Microsoft Intune.

Overview

Let’s start by having a look at the tree of the Accounts CSP.

Available nodes

The Accounts CSP contains nodes for renaming a computer account and for the creation of a user account. To get a better understanding of the different nodes, it’s good to walk through the available nodes. Specifically those related to user accounts, as those are the subject of this post. Let’s go through those related nodes.

  • .Device/Vendor/MSFT/Account – Defines the root node for the Accounts CSP;
  • Users – Defines the interior node for the user account information;
  • [UserName] – Defines the username of the new local user account;
  • Password – Defines the password for the new local user account;
  • LocalUserGroup – Defines the local user group for the new local user account.

Configurable nodes

There are basically two configurable nodes related to the creation of a local user account. The Password node and the LocalUserGroup node. The [UserName] node should contain the username and can be anything. The table below provides an overview of the configurable nodes.

Node Value Description
Password

String

This required setting allows the administrator to set the password for the new local administrator account.
LocalUserGroup Integer
1 – (Default) Users
2 – Administrators
This optional setting allows the administrator to control the local user group of the new local administrator account.

Note: The password value can be any valid string and is visible as plaintext in the Azure portal.

Configure

Now let’s continue by having a look at the required and optional configuration to create a local user account on the device. In other words, create a device configuration profile with the previously mentioned custom OMA-URI settings. The following three steps walk through the creation of that device configuration profile. After that simply assign the created profile to a user or device group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b and 3c.
3b

LU_PasswordOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/TestUser/Password;
  • Data type: Select String;
  • Value: P@ssw0rd!.
3c

LU_GroupOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/TestUser/LocalUserGroup;
  • Data type: Select Integer;
  • Value: 2.

Note: At some point in time this configuration will probably become available in the Azure portal without the requirement of creating a custom OMA-URI.

End-user experience

Let’s end this post by having a quick look at the end-user experience. There’s actually not that much to be shown. Only the created account. Below on the left is a screenshot of the default configuration of the created user account, including the full name, and below on the right is a screenshot of the group memberships of the created user account.

TestUser01 TestUser02

Note: The reporting in the Azure portal still provides me with a remediation failed error message, while the actual account creation was a success.

More information

For more information about the Accounts CSP, refer to this article named Accounts CSP.

91 thoughts on “Create a local user account via Windows 10 MDM”

  1. I and others may be misreading your instructions.
    ./Device/Vendor/MSFT/Accounts/Users/TestUser/Password;

    however, there is no “;” in the string, as can be seen in your screenshot.

    For clarity on your instructions, i think the “;” can be removed. You end the line and use italics to identify what should be used, i don’t think the “;” helps, and just caused confusion for me.

    Since in many programming languages ; is critical as a terminator, I didn’t question it when adding it into my string for Intune.

  2. Hi Peter,

    I followed the steps you have mentioned and Local user account got created using intune but it is part of only Users group. Can It be made a part of Administrator group as well?

    Regards,
    Santosh

  3. Thx for this great work around, I hope Microsoft will make this possible in the near future without the oma uri settings.
    Just a quick question, I get the same error even if they are created, is there also a workaround to check if the user really is created ?

  4. This works great.

    Except, I cannot un-join the domain with this local account unless I remove the “Users” from “Members of:” shown in the test users picture above under what would be TestUsers properties.

    Is there a way where it will only add to the “Administrators” group?

    I see that, integer wise…

    1 – (Default) Users
    2 – Administrators This optional setting allows the administrator to control the local user group of the new local administrator account.

  5. Hey Peter,

    It works great adding the user to the administrator’s group, but the odd issue I’m having is, it’s also a member of the “users” group at the same time as shown in the picture. I actually have to remove the “users” group from the account leaving only a member of “administrators”.

    While having this account as a member of both users and administrators, It will not allow me to un-join Azure AD with the credentials until its a member of “administrators” only.

  6. Hello,

    Is there also a way to add the Local user to the Remote Desktop Users Group and check the box for Password never expires?

  7. You can use a powershell or command prompt to make group membership changes. For example –

    net localgroup users AzureAD\full azure username /delete

    Change out users for administrators or another local group name as needed. You can also change /delete to /add. I am using powershell scripts like the above which are running for me through intune without issue.

  8. IT has been a year since your blog post and Intune still displays a remediation failed error message, while it actually works.

  9. Peter, thank you for this write up, works exactly as specified. I have added this successfully and do get the remediation error as well. Since I have to pass a plain text password, is there an option to force a password change at first login? If not CSP then powershell or net user command? If I have to use powershell or net user then how can I be certain that the script runs after the account is created?

  10. Thanks for this Peter, I am testing this in our environment and worked besides the known issues stated (remediation failed etc). My question is I noticed we cannot log into the created account until an Azure AD account has logged in first. Is that normal? Thanks again!

  11. Hi all,

    I did have this policy working at first when I was in my initial test phase, now at some point it stopped working. When deploying the profile now I get in error and when you drill down its states under STATE DETIALS ‘
    -2016281112 (Remediation failed)’ does anyone know why this might happen? Not found anything that helps me yet.

  12. Hi Duncan,
    Is it really not working? Reason for asking is what I mentioned in the post, that I’m getting an error even with a successful configuration.
    Regards, Peter

  13. Found the problem, it was my fault doh! On another policy to rename the admin account (which I had forgot I set ) I had already change the name of the Administrator account to the same name, silly mistake!

  14. Peter thanks for another excellent article…I was successfully able to create the local user..but when I am trying to update the password of the local user it’s not working. Is there is a way to update the local user password??

  15. Works like a charm, thanks! 🙂

    When will local admin password expire with this solution. Doesn’t seem to set “password never expires”
    Is it possible to set “password never expires” by OMA-URI too?

  16. this worked great. all the sudden it has stopped working. I haven’t changed my policy but it wont create the accounts anymore that it once was. I create a new policy and it still doesn’t work. anyone have any suggestions?

  17. peter,

    this is what i am seeing in event viewer its throwing an error.
    MDM ConfigurationManager: Command failure status. Configuraton Source ID: (52972517-C3FC-493B-8229-CD9F6FD45B0D), Enrollment Type: (MDMDeviceWithAAD), CSP Name: (Accounts), Command Type: (Add: from Replace or Add), Result: (./Vendor/MSFT/Accounts/Users/TestAdmin/LocalUserGroup).

  18. Hi- I have done the configuration as suggested by above but during first time logon through admin account it’s asking password to change.
    Can you please advice how to remove this setting in Azure Intune

  19. Peter,
    there was no difference once i had the policy working it was left alone and working until i just happened to check the user accounts for something and i notice the account wasn’t created anymore. i opened a case with MS they were able to reproduce the issue on other tenets and gave a workaround to use the PS script. which works but it stores the PS script in plain text in the log files which isn’t good. So it seems like maybe something broke on their end.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.