Create HKCU Registry Keys using Intune remediations

In my previous blog post, we have learnt the steps to create registry keys and values using Win32 app method and also using Intune remediations method. Both these methods demostrate creation of registry key and values in HKLM registry node.

In this blog post, we will see how to create registry keys and values in HKCU registry node using Intune device remediations. Please note that Intune remediations requires Windows 10/11 Enterprise license. For more information, please refer to the prerequistes section.

If you prefer to use Win32 app method to deploy registry key and values in HKCU node, you can use the this link. You will need to export the registry keys and values from HKCU node and while creating deployment, select Install behavior as User to deploy the scripts under user context.

Deployment of reg keys and values using Win32 app method

HKCU is a short form of HKEY_CURRENT_USER. It contains the configuration information for the user currently logged on. The user’s folders, screen colors and Control Panel settings are stored here, and this information is associated with the user’s profile.

About HKCU registry node

If you need to back up and remove a registry key, refer to my other blog post, which offers guidance on addressing the CVE-2022-30190 vulnerability. It also outlines the steps for backing up and deleting a registry key using Intune. It utilizes the Powershell script deployment method.

Want to backup and delete a registry key?

Create registry Keys and values using Powershell

Step-by-step guide

Prerequisites

  • Device must be Microsoft Entra joined or Entra Hybrid joined.
  • Device must be enrolled and managed by Intune.
  • Supported Windows operating systems are: Enterprise, Professional, or Education edition of Windows 10 or later.
  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5).
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5).
  • Windows 10/11 Virtual Desktop Access (VDA) per user.

Step 1 – Create a Remediations Script Package

To create a device remediation script package, we will need a detection and a remediation script. I have provided both the scripts code below. However, you can also download the script files from my Github repository: Create HKCU Reg Key and Values using Remediation · GitHub.

  • Sign in to the Intune admin center > Devices Scripts and remediatons.
  • Click on + Create under the Remediations tab.
  • Basics – Provide a NameDescription and Publisher Information of the remediation script package.
  • Settings – Create a detection script using below powershell code. Save it as Detect_reg_key.ps1.

You can change the registry path and values in the script according to your requirements. Using this example detection and remediation scripts, I am making sure that cloudinfra.net registry key and entries Location and Status along with the given values and type are always set to values ($regValues) given in the script.

Note

Detect_reg_key.ps1

<#
.DESCRIPTION
Checks the existence of the cloudinfra.net registry key in
HKCU registry node and its values.

Author: Jatin Makhija
Version: 1.0.0
Copyright: Cloudinfra.net
#>

$regPath = "HKCU:\Software\cloudinfra.net"
$regValues = @{
"Location" = @{ Data = "United Kingdom"; Type = "String" }
"Status" = @{ Data = "1"; Type = "Dword" }
}

$typeMap = @{
"String" = [Microsoft.Win32.RegistryValueKind]::String
"DWord" = [Microsoft.Win32.RegistryValueKind]::DWord
"QWord" = [Microsoft.Win32.RegistryValueKind]::QWord
"Binary" = [Microsoft.Win32.RegistryValueKind]::Binary
"MultiString" = [Microsoft.Win32.RegistryValueKind]::MultiString
"ExpandString" = [Microsoft.Win32.RegistryValueKind]::ExpandString
}

if (Test-Path $regPath) {
Write-Host "Registry key exists. Checking values..."
foreach ($key in $regValues.Keys) {
$expected = $regValues[$key]
$actual = Get-ItemProperty -Path $regPath -Name $key -ErrorAction SilentlyContinue

if ($null -eq $actual) {
Write-Host "Registry value '$key' does not exist!"
Exit 1
}

$actualValue = $actual.$key
$actualType = (Get-Item -Path $regPath).GetValueKind($key)

if ($actualType -ne $typeMap[$expected.Type] -or $actualValue -ne $expected.Data) {
Write-Host "Registry value '$key' is of type $actualType, expected $($expected.Type) or value does not match!"
Exit 1
}
}
Write-Host "All registry values match the expected data. No action required."
Exit 0
} else {
Write-Host "Registry key does not exist."
Exit 1
}
  • Create a remediation script using below powershell code. Save it as Remediate_reg_key.ps1.

Remediate_reg_key.ps1

<#
.DESCRIPTION
Remediates the cloudinfra.net registry key and values under the current user's context. If it does not exist, it creates it.

Author: Jatin Makhija
Version: 1.0.0
Copyright: Cloudinfra.net
#>

# Open Registry session in current user’s drive
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null

# Get the current user SID
$user = Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty UserName
$sid = (New-Object System.Security.Principal.NTAccount($user)).Translate([System.Security.Principal.SecurityIdentifier]).Value

# Set the path to the current user's registry location
$regPath = "HKU:\$sid\Software\cloudinfra.net"

# Define expected values and types
$regValues = @{
"Location" = @{ Data = "United Kingdom"; Type = "String" }
"Status" = @{ Data = "1"; Type = "String" } # Status is a String
}

$typeMap = @{
"String" = [Microsoft.Win32.RegistryValueKind]::String
"DWord" = [Microsoft.Win32.RegistryValueKind]::DWord
"QWord" = [Microsoft.Win32.RegistryValueKind]::QWord
"Binary" = [Microsoft.Win32.RegistryValueKind]::Binary
"MultiString" = [Microsoft.Win32.RegistryValueKind]::MultiString
"ExpandString" = [Microsoft.Win32.RegistryValueKind]::ExpandString
}

# Check if the registry key exists
if (-not (Test-Path $regPath)) {
try {
Write-Host "Creating Reg Key"
New-Item -Path "HKU:\$sid\Software" -Name "cloudinfra.net" -Force | Out-Null
foreach ($key in $regValues.Keys) {
New-ItemProperty -Path $regPath -Name $key -Value $value.Data -PropertyType $value.Type -Force | Out-Null
}
Exit 0
} catch {
Write-Host "Error Creating Reg Key"
Write-Error $_
Exit 1
}
} else {
Write-Host "Reg Key already exists. Checking values..."

foreach ($key in $regValues.Keys) {
$expected = $regValues[$key]
$actual = Get-ItemProperty -Path $regPath -Name $key -ErrorAction SilentlyContinue

if ($null -eq $actual) {
Write-Host "Registry value '$key' does not exist! Creating it..."
New-ItemProperty -Path $regPath -Name $key -Value $expected.Data -PropertyType $expected.Type -Force | Out-Null
continue
}

$actualValue = $actual.$key
$actualType = (Get-Item -Path $regPath).GetValueKind($key)

# Check if the actual type and value match the expected type and value
if ($actualType -ne $typeMap[$expected.Type] -or $actualValue -ne $expected.Data) {
Write-Host "Incorrect '$key' value or type. Correcting it..."
# Remove the existing property before adding it again
Remove-ItemProperty -Path $regPath -Name $key -ErrorAction SilentlyContinue
New-ItemProperty -Path $regPath -Name $key -Value $expected.Data -PropertyType $expected.Type -Force | Out-Null
}
}

Write-Host "All values are correct or have been remediated. No further action required."
Exit 0
}
  • Detection script file – Browse to the Detection script Detect_reg_key.ps1
  • Remediation script file – Browse to Remediation script file Remediate_reg_key.ps1
  • Run this script using the logged-on credentials – Yes
  • Enforce script signature check – No
  • Run script in 64-bit Powershell – Yes
Intune Remediation script package settings for Deployment of Registry keys
Intune Remediation script package settings for Deployment of Registry keys
  • Assignments – Click on Add group to add an Entra security group containing users or devices. You can also select the Schedule to run this script package. You have three options: Once, hourly, or Daily.
Intune Remediation script schedule
Intune Remediation script schedule
  • Review + create – Review the deployment and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End User Experience

After the script package is deployed on the target device. You can open the registry editor on the device to check and confirm if the registry keys and values are created as per the script.

Verification of Intune Registry Deployment on Windows device
Verification of Intune Registry Deployment on a Windows device

Step 2 – Monitor Intune Device Remediations

To check Intune device remediation script packages, do the following:

  • Sign in to the Intune admin center > Devices > Scripts and Remediations.
  • Click on the Remediation script package you want to monitor – for example, Create Reg Keys in HKCU.

Conclusion

This blog post explored the steps to create registry keys in the HKCU (HKEY_CURRENT_USER) hive using Intune remediations. Intune offers various methods for deploying registry keys and entries. Another approach involves creating and deploying a PowerShell script through the Devices > Scripts and remediations > Platform scripts method.

12 thoughts on “Create HKCU Registry Keys using Intune remediations”

  1. Good morning!
    i copied this to test – word for word and set it as a PS1 file – it came back as “failed”
    there is unfortunately no information in there of course. But i ran both sucessfully on my machine, but going into intune did not work

    Reply
      • Hi there, i had repliued but looks like it didn’t go through – it works, but it was due to it being coded as UTF-8 BOF and not just straight UTF-8 (as per their docs)
        after i changed it within notepad ++ it worked flawlessly

        Reply
    • Good question! 🙂 If I recall correctly, I did not grant admin rights to the user. However, the logic suggests that the user should have edit rights for the registry since the script is running under the logged-on user. I will test it again and confirm this.

      Reply
  2. Firstly, thanks for this guide, it’s great and I used it to pushout a couple of fixies.

    However, sadly it didn’t when I tried to add new keys under HYCU\SOFTWARE\Policies\ When I check the permissions the users only have read access to the key.

    I’ve tried a few work around but so far none have worked yet, if you’ve any thoughts it would be appreciated.

    Reply
  3. Trying to use this method to set the default font for Outlook. The path is HKCU:\Software\Microsoft\Office\16.0\Common\MailSettings but there are six values to change that are all BINARY.
    ComposeFontComplex
    ComposeFontSimple
    ReplyFontComplex
    ReplyFontSimple
    TextFontComplex
    TextFontSimple
    I have them set in my PC I just need to somehow export them in a readable form to put in the script to set them. Any ideas?

    Reply

Leave a Comment