Today in Part 2 on how to create or set Registry Keys using Intune Remediation scripts, I want to show you how easy you can modify Regkeys for all users or keys that need additional permissions for the currently logged on User.
In Part 1: I covered, how you can set a specific Regkey for the currently logged on User, but what if we want to change something for example in the HKCU:\Software\Policies hive that is not accessible for the logged on User?
Currently logged on User
You can find the sample script on my GitHub: detection remediation
Detection
Since the remediation script will need to run as System in order to modify our Regkey, the first thing that we need to do in our detection, is to identify the currently logged on User. We will use this information to find the corresponding Path in the registry to actual check or key / value.
Remediation
The remediation script follows the same idea as the detection to find the logged on user:
All Users
Another sample script shows you, how you can check for a key for all Users, in case you want to change something in the user context for the whole system. You can find a sample again on my GitHub: detection remediation
Detection
Similar to the other detection script, we will mount HKEY_Users, but this time we will loop through all “real” accounts and check for the requested key.
Remediation
The remediation will also go through all user hives and set the key if it does not exists.
Intune
Regardless of if you want to use the All Users or the currently logged on Users version, you will obviously have to modify the script in line 2-4 to match your Regkey. Once this is done, we can create a new Remediation in Intune:
Give it a name:
Upload the files and make sure to disable running the script with the logged-on credentials, since we want to run it as system. Also make sure it runs in 64-bit PowerShell.
In the Assignments Tab we can again set the Group of devices, where this should run and configure the schedule:
In the Review + Create page, we can one last time check our settings and give it a go:
Conclusion
Using this simple sample scripts, you can now easily modify Regkeys from Intune. Yes, I know for my sample key about private store, there would be a policy available natively in Intune, but there are cases where this is not available and here it can be pretty handy to just set it via Remediations.
Leave a Reply