1. create a certificate on a domain controller.
2. export the certificate as a .pfx, when asked to specify password, choose permissions instead and allow only 'domain computers' access
3. Create the secured message or password using the certificate you created using the below command:
"Secret Texr" | Protect-CmsMessage -To cn=secret -OutFile .\Desktop\secret.txt
4. save the secret.txt file along with the certificate into a folder of your choosing, in this example, you could store in the netlogin folder to change a bunch of clients local admin password.
5. run the following as a .PS1 at startup on a machine to change the local admin on a client using GPO:
Import-pfxCertificate -FilePath \\rwfs.romanway.worcs.sch.uk\netlogon\Scripts\VivaCert\VivaLapassword.pfx -CertStoreLocation cert:\localmachine\my
$password = ConvertTo-SecureString (Unprotect-CmsMessage -Path \\rwfs.romanway.worcs.sch.uk\netlogon\Scripts\VivaCert\secret.txt) -AsPlainText -Force
set-localuser -name Administrator -password $password