In this blog post, we’ll use the Intune remediations method to deploy the registry key and its entries within the HKCU registry node. You can also use this method to deploy registry keys and entries under the HKLM node.
HKCU is a short form of HKEY_CURRENT_USER. It contains the configuration information for the user currently logged on. The user’s folders, screen colors and Control Panel settings are stored here, and this information is associated with the user’s profile.
HKLM is an abbreviation for HKEY_LOCAL_MACHINE, which stores information related to the operating system and application configuration settings. I’ve utilized the Intune Device remediations method in this blog post to deploy HKLM registry keys and entries. You can also achieve identical outcomes by using the Intune Win32 App method.
If you need to back up and remove a registry key, refer to my other blog post, which offers guidance on addressing the CVE-2022-30190 vulnerability. It also outlines the steps for backing up and deleting a registry key using Intune. It utilizes the Powershell script deployment method.
Step-by-step guide
Numerous use cases exist for deploying registry keys on Windows devices using Intune. While I can’t cover every scenario here, I can highlight a few examples:
- Post-deployment application configuration: After installing software, you can use registry keys to configure and customize the application settings to suit your specific needs.
- License configuration or activation: Registry keys can manage software licenses and activation for various installed applications.
- Operating system configuration settings: You can deploy registry keys to adjust and fine-tune operating system settings to align with your requirements.
- Enabling or disabling application features: Registry keys can enable or disable specific features within applications, allowing you to tailor the software’s functionality to your preferences.
Table of Contents
STEP 1 – Create a Script Package
To create a script package, follow the below steps:
- Sign in to the Intune admin center.
- Go to Devices > Scripts and remediatons.
- Click on + Create under the Remediations tab.
Basics Tab
The basics tab will provide information about the script package, such as name, description, and publisher.
- Name: Create Reg Keys in HKCU
- Description: This Remediation will create given registry keys on target devices.
- Publisher: Jatin Makhija (auto-filled)
- Version: Auto-filled
Settings Tab
- Create a detection script using the Powershell code below. Save it as Detect_reg_key.ps1.
Detect_reg_key.ps1
<#
.DESCRIPTION
Below Powershell script will Check the existence of
cloudinfra.net registry Key.
Author: Jatin Makhija
Site: cloudinfra.net
Version: 1.0.0
#>
$regPath = "HKCU:\Software\cloudinfra.net"
$value = Test-Path $regPath
if($value){
Write-host "Reg Key already Exists. No Action Required"
Exit 0
}
Else{
Write-host "Reg Key does not exist"
Exit 1
}
- Create a remediation script using the Powershell code below. Save it as Remediate_reg_key.ps1.
Remediate_reg_key.ps1
<#
.DESCRIPTION
Below Powershell script will Check the existence of
cloudinfra.net registry Key. If it does not exist, It will create it and
Also creates two registry entries under this key. One is DWORD
and other one it will create it as String type.
Author: Jatin Makhija
Site: cloudinfra.net
Version: 1.0.0
#>
$regPath = "HKCU:\Software\cloudinfra.net"
$value = Test-Path $regPath
$value
if(!$value){
try{
Write-Host "Creating Reg Key"
New-Item -Path HKCU:\Software -Name cloudinfra.net –Force | Out-Null
New-ItemProperty -Path $regPath -Name 'Status' -Value 1 -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $regPath -Name 'Location' -Value "UnitedKingdom" -PropertyType String | Out-Null
Exit 0
}
Catch {
Write-Host "Error Creating Reg Key"
Write-error $_
Exit 1
}
}
Else{
Write-host "Reg Key already Exists. No Action Required"
Exit 0
}
- Detection script file – Browse to the Detection script Detect_reg_key.ps1
- Remediation script file – Browse to Remediation script file Remediate_reg_key.ps1
- Run this script using the logged-on credentials – Yes
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Assignments tab
Click on Add group to add an Entra security group containing users or devices. You can also select the Schedule to run this Powershell script. You have three options: Once, hourly, or Daily.
Review + Create
Review the deployment and click on Create to start the deployment process.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End-user Experience
After successfully completing the deployment, Registry keys will be created as per the script package.
Step 2 – Monitor Intune Device Remediations
To check Intune device remediation script packages, do the following:
- Sign in to the Intune admin center.
- Go to Devices > Scripts and Remediations.
- Click on the Remediation script package you want to monitor—for example, Create Reg Keys in HKCU.
- Go to the Overview to find the deployment status of the script package.
Conclusion
This blog post explored the steps to create registry keys in the HKEY_CURRENT_USER (HKCU) hive using Intune remediations. Intune offers various methods for deploying registry keys and entries. Another approach involves creating and deploying a PowerShell script through the Devices > Scripts and remediations > Platform scripts method.
Good morning!
i copied this to test – word for word and set it as a PS1 file – it came back as “failed”
there is unfortunately no information in there of course. But i ran both sucessfully on my machine, but going into intune did not work
Good morning! I tested the script to ensure it was functioning correctly. I’ll review it again and provide an update.
Hi there, i had repliued but looks like it didn’t go through – it works, but it was due to it being coded as UTF-8 BOF and not just straight UTF-8 (as per their docs)
after i changed it within notepad ++ it worked flawlessly
All fixed – UTC-8 encoding needed – was set to UTC-8 BOF
Awesome! I’m happy to hear that it’s working for you.
Excellent guide, but would the users not need to be local admin on the device to add the key to HKCU?
Good question! 🙂 If I recall correctly, I did not grant admin rights to the user. However, the logic suggests that the user should have edit rights for the registry since the script is running under the logged-on user. I will test it again and confirm this.
Firstly, thanks for this guide, it’s great and I used it to pushout a couple of fixies.
However, sadly it didn’t when I tried to add new keys under HYCU\SOFTWARE\Policies\ When I check the permissions the users only have read access to the key.
I’ve tried a few work around but so far none have worked yet, if you’ve any thoughts it would be appreciated.
Thank you for the feedback. Someone provided a fix for your issue in the comment section of this blog post: https://cloudinfra.net/how-to-deploy-a-powershell-script-using-intune/#comments. Please check to see if that resolves your issue.
Trying to use this method to set the default font for Outlook. The path is HKCU:\Software\Microsoft\Office\16.0\Common\MailSettings but there are six values to change that are all BINARY.
ComposeFontComplex
ComposeFontSimple
ReplyFontComplex
ReplyFontSimple
TextFontComplex
TextFontSimple
I have them set in my PC I just need to somehow export them in a readable form to put in the script to set them. Any ideas?
I have used the Export method in this blog post. Please refer to it for more Information: https://cloudinfra.net/how-to-create-registry-keys-using-intune-win32-app/.
Alternatively, you can create registry keys and values directly as well via Powershell: https://cloudinfra.net/how-to-create-a-registry-key-and-values-using-powershell/