To better describe the error:

I have set a default password in the settings that will be used for new hosts.
I have set a password hash (Base64-windows) in the relevant OS (Windows)
When creating a host with this OS and the default password from the settings, the template for this host does not have a encoded password the password is in plain text.(Should be Base64-windows encoded)

The vm can not be installed completely with this because this OS expects a password encoded

This happens only if i create a host via api. (hammer & FAM & CURL)

If you go to "preview template" the rendered template shows:

                <AdministratorPassword>
                    <Value>PLAIN_TEXT_PASSWORD</Value>
                    <PlainText>false</PlainText>
                </AdministratorPassword>

If you start a 'foreman-rake console' and analyze the root_pass.

Host created via GUI:
irb(main):008:0> gui_h.root_pass
=> "CCAGkAeBBhAHQAaQG4AEEAZABtZGkAbgBpAHM3dAByAGEAdABvAHIAUABAAHMAcwBEAG8AcgXkAC=="

Host created via API (hammer):
irb(main):009:0> api_h.root_pass
=> "plainpw"

In case of API creation of host:

Found out that root_pass_changed? method https://github.com/theforeman/foreman/blob/develop/app/models/host/base.rb#L614 is false and therefore the method password_base64_encrypted? returns true -> password is already base64.

I would prefer to determine if string is base64 but this is not save - except we mark base64 encoded passwords with something like <b64> in the root_pass.