Certain configurations necessitate the creation or modification of Registry keys on your end-users' systems. If you're transitioning from Group Policy Objects (GPOs), you may be accustomed to using them for managing Registry keys. Regrettably, Intune lacks the functionality to handle "Preferences," including Registry key management. However, fret not, as there are alternative methods to accomplish the same tasks efficiently. In this article, we'll explore these alternative approaches to manage Registry keys in Intune.
Table of Contents
- One-time creation or change with a PowerShell script
- Monitored Registry Key with (Proactive) Remediation
- Kind of monitored with a Win32 Application
- Conclusion
One-time creation or change with a PowerShell script
The simplest way is to use a PowerShell script to set one or multiple Keys.
For this purpose, I've created a small script block which you can duplicate for multiple entries. Just define the four Variables for the Registry path, the name of the key, which format the key should have and what the value should be.
In the example below I set the key to disable Roaming Signatures in Outlook.
This script must be deployed as a user, cause it's in the "HKEY_CURRENT_USER" context. If the key is in "HKEY_LOCAL_MACHINE" you have to run the script as system. Also note that "HKEY_CURRENT_USER" ist "HKCU:" and "HKEY_LOCAL_MACHINE" is HKLM:"
$Path = "HKCU:\Software\Microsoft\Office\16.0\Outlook\Setup"
$Key = "DisableRoamingSignaturesTemporaryToggle"
$KeyFormat = "dword"
$Value = "1"
if(!(Test-Path $Path)){New-Item -Path $Path -Force}
if(!$Key){Set-Item -Path $Path -Value $Value
}else{Set-ItemProperty -Path $Path -Name $Key -Value $Value -Type $KeyFormat}
Code language: PowerShell (powershell)Monitored Registry Key with (Proactive) Remediation
The downside of keys set via the script function is that they only set once. So, if the user or an administrator decides to change the key or maybe just an option in a program, the key can revert or change to an uncompliant state.
To monitor and remediate the desired state you can use the Remediation function in Intune.
Remediations are only available to Enterprise customers.
Valid licenses can be found here: Remediations | Microsoft Learn
What you have to declare in each script (detection and remediation) are the same details as you would in the classic script. But this time the detection will run on a schedule and check for the key and value and if its not in the desired state, the remediation will be kicked to set the key correctly.
How you can create a Remediation package, I show you here: Endpoint Analytics Proactive Remediation Community (scloud.work)
Detection of Registry Key
$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power"
$Name = "HiberbootEnabled"
$Value = 0
Try {
$Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
If ($Registry -eq $Value){
Write-Output "Compliant"
Exit 0
}
Write-Warning "Not Compliant"
Exit 1
}
Catch {
Write-Warning "Not Compliant"
Exit 1
}Code language: PowerShell (powershell)Remediation of Registry Key
$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power"
$Key = "HiberbootEnabled"
$KeyFormat = "DWORD"
$Value = 0
try{
if(!(Test-Path $Path)){New-Item -Path $Path -Force}
if(!$Key){Set-Item -Path $Path -Value $Value}
else{Set-ItemProperty -Path $Path -Name $Key -Value $Value -Type $KeyFormat}
Write-Output "Key set: $Key = $Value"
}catch{
Write-Error $_
}
Code language: PowerShell (powershell)Kind of monitored with a Win32 Application
If you don't have Enterprise licenses you can achieve a similar detection method via a Win32 application. The check won't be on a defined schedule, and you won't have monitoring like in the Remediations, but if the Key changes it will be set to the correct format again.
For the Installation file you can use the remediation from above.
As the detection you have two options, either you use a slightly modified version of the detection script or you build the detection in the Intune portal.
My package can be downloaded on GitHub:
Another approach would be an import of a ".reg" file, here shown by Gannon: Make Registry Changes with Intune Win32 Apps - SMBtotheCloud
Win32 detection of registry via PowerShell
Here is the detection of one registry key:
$Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power"
$Key = "HiberbootEnabled"
$Value = 0
Try {
$Registry = Get-ItemProperty -Path $Path -Name $Key -ErrorAction Stop | Select-Object -ExpandProperty $Key
If ($Registry -eq $Value){
$Detection = $true
}
exit 1
}
Catch {
exit 1
}
if($Detection -eq $true){
Write-Host "Found it!"
}else{exit 1}
Code language: PowerShell (powershell)To use the detection for multiple keys just multiply line 1-14.
Win32 detection of registry via Intune
To use the Intune functionality for detection, choose "Manually configure detection rules" and add the Key according to your needs:
Conclusion
In conclusion, managing Registry keys in Intune may require alternative methods, especially if you're used to handling them with Group Policy Objects (GPOs). While Intune lacks the direct functionality to manage "Preferences," including Registry key management, you can still efficiently achieve your desired configurations. In this article, we explored several approaches to manage Registry keys in Intune.
The simplest way involves using a PowerShell script to create or modify Registry keys on your end-users' systems. This script can be deployed as a user or, in the case of "HKEY_LOCAL_MACHINE" keys, as a system. However, it's important to note that this method only sets the keys once and may not maintain compliance if users or administrators make changes.
For a more robust solution, especially for Enterprise customers, you can utilize the Remediation function in Intune. This feature allows you to monitor and remediate the desired Registry key state, ensuring ongoing compliance. You can use detection and remediation scripts to accomplish this.
If you don't have Enterprise licenses, you can achieve a similar detection method via a Win32 application. While this method doesn't offer scheduled monitoring like Remediations, it can still correct the Registry key format if it changes.
In all cases, the key to successful Registry key management in Intune lies in careful planning and the choice of the most suitable method for your specific needs. Whether you opt for PowerShell scripts, Remediations, or Win32 applications, Intune provides flexible options for Registry key management to help you maintain your desired system configurations.
Great knowledge to have! Thanks for the good article!