Create or set Registry Keys in Intune using (Proactive) Remediations

Today I will show you, how you can create or set Registry Keys using Intune (Proactive) Remediations. For (Hybrid) Domain joined Clients we used Group Policy Preferences to set these RegKeys, but as there is no such thing for Azure AD joined Clients, we will use a small remediation script for this.

As an example, today we will use the Folder Option “Hide extensions for known file types”, which could be set directly via Group Policy Preferences or via RegKey.
I uploaded the example script to GitHub: https://github.com/mmeierm/Scripts/tree/main/Remediations

Detection

In the detection script we will have to modify line 2-4 to match our needs for the Path, the KeyName and the value.

Remediation

In the remediation script, you again will need to modify line 2-4. If you are not using a “DWORD” Key you additionally need to modify the PropertyTye in line 14

Intune

As soon as we have our scripts ready, we can create the (Proactive) Remediation in Intune.

Since we want to modify a RegKey in the HKEY_Current_User section that is accessable by a “normal” non-admin account, we want to run the script in the current user context, if we want to modify a key in HKEY_Local_Machine we want to run it in system context.
In a future Blog, I will show you how you can modify a key in HKEY_Current_User section that i not accessable by a non-admin account like in the policys hive.

Once we have uploaded the script(s) we can assign it and set the schedule:


Posted

in

by

Comments

9 responses to “Create or set Registry Keys in Intune using (Proactive) Remediations”

  1. […] de base par MikeMDM, adapté à la clef de registre appropriée par nos […]

  2. […] script by MikeMDM, customized for the needs of this registry […]

  3. Gertjan Jongeneel

    Hi Mike,

    In the blog above, you state that ‘In a future Blog, I will show you how you can modify a key in HKEY_Current_User section that i not accessible by a non-admin account like in the policies hive.’. Did you ever get to creating that blog? Would be interesting!

    1. Hi, I just created this blog post for you 🙂 Had it on the backlog for way to long…
      https://mikemdm.de/2024/05/05/create-or-set-registry-keys-using-intune-remediation-scripts-part-2/

  4. […] Part 1: I covered, how you can set a specific Regkey for the currently logged on User, but what if we want […]

  5. Stephen

    Is there an easy way to modify this script to be able to change multiple registry values under the same registry key? I’m trying to change a bunch of values under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced such as TaskbarAl, ShowCopilotButton, TaskbarGlomLevel, etc.

    1. Sure, just duplicate the checks in the detection and add the New/set-itemproperty functions in the remediation for each key that you want to check / modify.

  6. Craig Vibert

    This is a really good example of this.

    Any value in adding a detection on the type as in my below example so if someone has accidently created a string value it will overwrite that as well?

    #Hide Filenames
    $regkey=”HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”
    $name=”HideFileExt”
    $Type = “Int32”
    $value=0

    #Registry Detection Template

    If (!(Test-Path $regkey))
    {
    Write-Output ‘RegKey not available – remediate’
    Exit 1
    }

    $check=(Get-ItemProperty -path $regkey -name $name -ErrorAction SilentlyContinue).$name
    if ($check -eq $value -and $check.GetType().Name -eq “$Type”){
    write-output ‘setting ok – no remediation required’
    Exit 0
    }

    else {
    write-output ‘value not ok, no value or could not read – go and remediate’
    Exit 1
    }

    1. Yes makes sense, if this is a key that a user could / will change, you should absolutely check this as well. Thanks for the reporting.

Leave a Reply

Your email address will not be published. Required fields are marked *