Create or set Registry Keys using Intune Remediation scripts – Part 2

Today in Part 2 on how to create or set Registry Keys using Intune Remediation scripts, I want to show you how easy you can modify Regkeys for all users or keys that need additional permissions for the currently logged on User.

In Part 1: I covered, how you can set a specific Regkey for the currently logged on User, but what if we want to change something for example in the HKCU:\Software\Policies hive that is not accessible for the logged on User?

Currently logged on User

You can find the sample script on my GitHub: detection remediation

Detection

Since the remediation script will need to run as System in order to modify our Regkey, the first thing that we need to do in our detection, is to identify the currently logged on User. We will use this information to find the corresponding Path in the registry to actual check or key / value.

Remediation

The remediation script follows the same idea as the detection to find the logged on user:

All Users

Another sample script shows you, how you can check for a key for all Users, in case you want to change something in the user context for the whole system. You can find a sample again on my GitHub: detection remediation

Detection

Similar to the other detection script, we will mount HKEY_Users, but this time we will loop through all “real” accounts and check for the requested key.

Remediation

The remediation will also go through all user hives and set the key if it does not exists.

Intune

Regardless of if you want to use the All Users or the currently logged on Users version, you will obviously have to modify the script in line 2-4 to match your Regkey. Once this is done, we can create a new Remediation in Intune:

Give it a name:

Upload the files and make sure to disable running the script with the logged-on credentials, since we want to run it as system. Also make sure it runs in 64-bit PowerShell.

In the Assignments Tab we can again set the Group of devices, where this should run and configure the schedule:

In the Review + Create page, we can one last time check our settings and give it a go:

Conclusion

Using this simple sample scripts, you can now easily modify Regkeys from Intune. Yes, I know for my sample key about private store, there would be a policy available natively in Intune, but there are cases where this is not available and here it can be pretty handy to just set it via Remediations.


Posted

in

by

Comments

3 responses to “Create or set Registry Keys using Intune Remediation scripts – Part 2”

  1. […] Create or set Registry Keys using Intune Remediation scripts – Part 2 […]

  2. Stephen

    Is there an easy way to modify this script to be able to change multiple registry values under the same registry key? I’m trying to change a bunch of values under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced such as TaskbarAl, ShowCopilotButton, TaskbarGlomLevel, etc.

    1. Sure, just duplicate the checks in the detection and add the New/set-itemproperty functions in the remediation for each key that you want to check / modify.

Leave a Reply

Your email address will not be published. Required fields are marked *