When you are managing organization devices and applications, you may have the requirement to deploy registry keys to end user devices to fix an issue or for any other reason. In this blog post, we will see the steps on how to create registry keys using under HKCU node using Intune.
HKCU is a short form of HKEY_CURRENT_USER. It contains the configuration information for the user who is currently logged on. The user’s folders, screen colors, and Control Panel settings are stored here. This information is associated with the user’s profile.
HKLM is a short form of HKEY_LOCAL_MACHINE which contains information about Operating system and application configuration settings. You can also easily deploy HKLM registry key using Win32 app or deploy HKLM registry key using Intune remediations.
If you have a requirement to backup and delete a registry key using intune, then you can check out my other blog post which provides information about how to resolve CVE-2022-30190 vulnerability. It also has the steps on how to backup and delete a registry key using Intune.
There are several use cases for deployment of registry keys on windows devices using Intune. I will not be able to provide each and every use case here but I can highlight few of them below:
- Post deployment application configuration using windows registry
- Licence configuration or Activation for any Installed Software.
- Operating System configuration settings.
- Using registry keys to Enable / Disable certain application features.
As i said earlier, the use cases are endless and yours may be another unique use case for Windows registry deployment. You can easily create a registry key and registry entries / values by opening regedit
on a device and create registry keys as required.
When you are managing Windows 10 or Windows 11 devices using Intune, it becomes really easy to manage Windows registry from a central place. I will be deploying the registry keys using Intune device remediations.
Device remediations is also referred to as Intune proactive remediations. We will use Powershell scripts to detect the existence of a registry key and if it does not exist on the device, a Remediation script will be called to create it.
Intune device Remediations automatically detects and resolves issues on managed devices as per the detection and remediation scripts. We have below two powershell scripts, one for Detection of a registry key and one for Remediation.
Below Detection powershell script will check the existence of cloudinfra.net registry key. You can update the registry path and its values as per your requirement in below detection script.
Detect_reg_key.ps1
<# .DESCRIPTION Below Powershell script will Check the existence of cloudinfra.net registry Key. Author: Jatin Makhija Site: cloudinfra.net Version: 1.0.0 #> $regPath = "HKCU:\Software\cloudinfra.net" $value = Test-Path $regPath if($value){ Write-host "Reg Key already Exists. No Action Required" Exit 0 } Else{ Write-host "Reg Key does not exist" Exit 1 }
Below Remediation script will check the existence of cloudinfra.net registry Key. If it does not exist, It will create it and
Also creates two registry entries under this key. One is DWORD and other one it will create it as String type.
You can update the registry path and its values as per your requirement in below remediation script.
Remediate_reg_key.ps1
<# .DESCRIPTION Below Powershell script will Check the existence of cloudinfra.net registry Key. If it does not exist, It will create it and Also creates two registry entries under this key. One is DWORD and other one it will create it as String type. Author: Jatin Makhija Site: cloudinfra.net Version: 1.0.0 #> $regPath = "HKCU:\Software\cloudinfra.net" $value = Test-Path $regPath $value if(!$value){ try{ Write-Host "Creating Reg Key" New-Item -Path HKCU:\Software -Name cloudinfra.net –Force | Out-Null New-ItemProperty -Path $regPath -Name 'Status' -Value 1 -PropertyType DWord -Force | Out-Null New-ItemProperty -Path $regPath -Name 'Location' -Value "UnitedKingdom" -PropertyType String | Out-Null Exit 0 } Catch { Write-Host "Error Creating Reg Key" Write-error $_ Exit 1 } } Else{ Write-host "Reg Key already Exists. No Action Required" Exit 0 }
Create Remediation Script Package in Intune
We will use the above Detection and Remediation scripts to create a script package using Intune device Remediations. Let’s check the steps:
- Login on Microsoft Intune admin center.
- Go to Devices > Remediations.
- Click on + Create script package.
Basics Tab
Provide the Name and Description of the package. Keep rest of the settings as default.
- Name: Create Reg Keys in HKCU
- Description: This Remediation will create given registry keys on target devices.
- Publisher: Jatin Makhija (auto-filled)
- Version: Auto-filled
Settings Tab
Browse to the Detection script and Remediation Script file. You need to save above scripts in two powershell script files with extension as .ps1 and then browse to it using blue folder Icon as shown in below screenshot.
- Detection script file – Browse to the Detection script Detect_reg_key.ps1
- Remediation script file – Browse to Remediation script file Remediate_reg_key.ps1
- Run this script using the logged-on credentials – Yes
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Assignments tab
Create an Azure AD Security group which contains devices where this custom script package needs to be deployed. Please note that if you add users into the list, registry key will be created on all the devices which are assigned to that user. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune. You can also choose the schedule of executing the script package. You have three options, Once, hourly and Daily.
I prefer to select Hourly and Repeat every 1 hour when I am testing the deployment on couple of devices. This way the device remediation script package is executed every 1 hour to check the existence of registry key. I get the results quickly and can update the script package if there are any issues.
However, once you have established that the Remediation scripts are working as expected and testing is successful, you can change it to run less frequently e.g. Daily at a specified time.
Review + Create
On Review + Create tab, review the remediations script package details and click on Create. As soon as you click on create button, device remediation script package deployment will start.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the Remediation process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the scripts download, execution and remediation process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the script package on a test device then this can speed up your testing and can save some time.
End user Experience
Now, let’s check whats happening on end user device. After the Remediation script package has been executed successfully. You can check if the registry key and registry entries are created as per the powershell scripts.
How to Monitor Intune device Remediations
You can monitor Intune device remediation script packages from Intune admin center by following below steps:
- Login on Microsoft Intune admin center
- Go to Devices > Remediations
- Click on the Remediation script package you want to monitor. “Create Reg Keys in HKCU“
- Go to the Overview to find the deployment status of the script package
Conclusion
In this blog post, we have see how to create registry keys under HKCU (HKEY_CURRENT_USER) using Intune remediations. There are different ways to deploy a registry key and registry entries via Intune e.g. Deploy registry keys by creating a powershell script (deploying it via Devices > Scripts method). Another method is by creating a powershell or batch file and wrapping it in .intunewin file. You can then create a Win32 app deployment for deployment of .intunewin package on Intune managed devices.