Intune makes a lot of things really easy, but some things are just easier with GPO. Adding or changing registry keys for the current user in the HKEY_CURRENT_USER hive is one of the things that was far easier with GPO than it is in Intune. I’m really going to miss the days of OnPrem AD, OU’s, and GPO’s. Sad times we live in, or maybe I’m just old and frustrated with Microsoft.
Sadly, there are some configurations that we need to do as engineers or admins that require us to dive into the HKCU hive to make modifications.
Never fear, there is a way to deploy registry keys to HKCU using Intune though. You can package this as a Win32 app or you could use a Proactive Remediation. I’ve covered those methods in this post: Deploy PowerShell Scripts in Intune
You will want to create a new PowerShell script similar to the one below. In our example, we are creating a new value in HKCU:\Software called Test and setting the value equal to 1.
New-ItemProperty -LiteralPath 'HKCU:\Software' -Name "Test" -Value 1 -PropertyType "Dword" -Force -ea SilentlyContinueSimple enough, right? The important part is during the Win32 app creation or Proactive Remediation, whichever you choose. We want to make sure that this runs in the user context, otherwise, it won’t work properly.
Win32 App Config
For a Win32 app, you must make sure to change the Install Behaviour to “User” instead of system.
Proactive Remediation Config
If you choose a Proactive Remediation deployment for this, you want to make sure that the option to Run this script using the logged-on credentials is set to “Yes”.
Other Options
Another option is to make your script load the registry key for all new users who sign in. This will not impact users who already have profiles on the device, only new users.
To do this, we use PowerShell again to enable access to the HKEY_USERS hive, and then you can create your key there.
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
New-ItemProperty -LiteralPath 'HKU:\.DEFAULT\Software' -Name "Test" -Value 1 -PropertyType "Dword" -Force -ea SilentlyContinueConclusion
Oh, the good old days of GPO are quickly going away and Microsoft doesn’t seem to want to make our lives easy. No worries, we found a workaround and now you know how to deploy registry keys using Intune to the current user registry hive.
Have Intune questions? Let me know in the comments.
I’ve been working in the IT field for nearly 15 years, specifically with desktop engineering. I have a degree in Computer Science as well as some industry certifications from Microsoft. Outside of work, I have 21 years of experience in various programming languages and enjoy making toy projects. I’m also an avid Linux user, currently using Manjaro as my main OS. I enjoy writing about my experiences in programming and with Linux as well.
I’m trying to use InTune to run a PS script to create a new key (New-Item instead of New-ItemProperty) in HKCU. The script runs fine from a command line but doesn’t do anything from InTune. There’s not much to set up in InTune. So I don’t know where I’m going wrong.
Powershell.exe -ExecutionPolicy ByPass -File .\Win11_FE_menu_DISABLE.ps1
[Win11_FE_menu_DISABLE.ps1]
New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}”
New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name InprocServer32
Set-ItemProperty -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32″ -Name ‘(Default)’ -Value ” -Force
Hi Kevin, thanks for commenting. Assuming the code you put in the comment is the same as the code in your script I think the extra ” after -Value in the last line is causing a problem. Do all of the keys get created and the value just doesn’t get set? Did you set it to run in the user context?
Those wee two single quotes to set the value to nothing. I tried again from scratch and the following works with an asterisk :
New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Force -ea SilentlyContinue
New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name “InprocServer32” -Force -ea SilentlyContinue
Set-ItemProperty -LiteralPath “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32” -Name “(Default)” -Value ” -Force -ea SilentlyContinue
The problem is it’s writing to WOW6432Node\CLSID.
Those were two single quotes to set the value to nothing. I tried again from scratch and the following works with an asterisk :
New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Force -ea SilentlyContinue
New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name “InprocServer32” -Force -ea SilentlyContinue
Set-ItemProperty -LiteralPath “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32” -Name “(Default)” -Value ” -Force -ea SilentlyContinue
The problem is it’s writing to WOW6432Node\CLSID.
I found my solution to the writing to the registry in the wrong place. I need the following in the command field to make sure it writes to HKCU:\Software\
%windir%\sysnative\WindowsPowerShell\v1.0\Powershell.exe
Now I need advice on how to check that the program succeeded b/c the Detection rule can’t see, or sees the wrong place when I tell it to check “HKCU:\Software….”
Glad you got it working. The powershell command change was probably due to where you wanted the registry key to go. Writing keys to HKCU:\Software can be tricky if PowerShell is running in 64bit mode. There is an option in Intune when creating an app that let’s you select if PowerShell runs as 64bit or not. Altering this switch could also resolve your issue. Depending on you selection the key could go to HKCU:\Software\Wow6432Node instead of HKCU:\Software\ like you expect.
Hi,
When applying ‘CURRENT_USER’ registry fixes via either App or Remediation, is it safe/ok to use device based group assignments, or best just to stick to user groups?
I’ve used device based group assignments without any issue.
I found the answer. Detection of HKCU in InTune app does work if you start it with what’s displayed in regedit – HKEY_CURRENT_USER\Software\
Alas ‘HKEY_CURRENT_USER\’ did not work for me.
The same script installs fine if directed to HKLM.
I haven’t had any trouble with this. Do you mind sharing the contents of your script? Be sure to remove anything sensitive.