Deploy HKCU Registry Keys Using Intune

Spread the love

Intune makes a lot of things really easy, but some things are just easier with GPO. Adding or changing registry keys for the current user in the HKEY_CURRENT_USER hive is one of the things that was far easier with GPO than it is in Intune. I’m really going to miss the days of OnPrem AD, OU’s, and GPO’s. Sad times we live in, or maybe I’m just old and frustrated with Microsoft.

Sadly, there are some configurations that we need to do as engineers or admins that require us to dive into the HKCU hive to make modifications.

Never fear, there is a way to deploy registry keys to HKCU using Intune though. You can package this as a Win32 app or you could use a Proactive Remediation. I’ve covered those methods in this post: Deploy PowerShell Scripts in Intune

You will want to create a new PowerShell script similar to the one below. In our example, we are creating a new value in HKCU:\Software called Test and setting the value equal to 1.

New-ItemProperty -LiteralPath 'HKCU:\Software' -Name "Test" -Value 1 -PropertyType "Dword" -Force -ea SilentlyContinue

Simple enough, right? The important part is during the Win32 app creation or Proactive Remediation, whichever you choose. We want to make sure that this runs in the user context, otherwise, it won’t work properly.

Win32 App Config

For a Win32 app, you must make sure to change the Install Behaviour to “User” instead of system.

deploy registry key intune win32 app

Proactive Remediation Config

If you choose a Proactive Remediation deployment for this, you want to make sure that the option to Run this script using the logged-on credentials is set to “Yes”.

See also  Managed Desktop Icons and Shortcuts in Intune
deploy registry key intune proactive remediation

Other Options

Another option is to make your script load the registry key for all new users who sign in. This will not impact users who already have profiles on the device, only new users.

To do this, we use PowerShell again to enable access to the HKEY_USERS hive, and then you can create your key there.

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

New-ItemProperty -LiteralPath 'HKU:\.DEFAULT\Software' -Name "Test" -Value 1 -PropertyType "Dword" -Force -ea SilentlyContinue

Conclusion

Oh, the good old days of GPO are quickly going away and Microsoft doesn’t seem to want to make our lives easy. No worries, we found a workaround and now you know how to deploy registry keys using Intune to the current user registry hive.

Have Intune questions? Let me know in the comments.


Spread the love

12 thoughts on “Deploy HKCU Registry Keys Using Intune”

  1. I’m trying to use InTune to run a PS script to create a new key (New-Item instead of New-ItemProperty) in HKCU. The script runs fine from a command line but doesn’t do anything from InTune. There’s not much to set up in InTune. So I don’t know where I’m going wrong.

    Powershell.exe -ExecutionPolicy ByPass -File .\Win11_FE_menu_DISABLE.ps1

    [Win11_FE_menu_DISABLE.ps1]

    New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}”

    New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name InprocServer32

    Set-ItemProperty -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32″ -Name ‘(Default)’ -Value ” -Force

    Reply
    • Hi Kevin, thanks for commenting. Assuming the code you put in the comment is the same as the code in your script I think the extra ” after -Value in the last line is causing a problem. Do all of the keys get created and the value just doesn’t get set? Did you set it to run in the user context?

      Reply
      • Those wee two single quotes to set the value to nothing. I tried again from scratch and the following works with an asterisk :

        New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Force -ea SilentlyContinue
        New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name “InprocServer32” -Force -ea SilentlyContinue
        Set-ItemProperty -LiteralPath “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32” -Name “(Default)” -Value ” -Force -ea SilentlyContinue

        The problem is it’s writing to WOW6432Node\CLSID.

        Reply
  2. Those were two single quotes to set the value to nothing. I tried again from scratch and the following works with an asterisk :

    New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Force -ea SilentlyContinue
    New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name “InprocServer32” -Force -ea SilentlyContinue
    Set-ItemProperty -LiteralPath “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32” -Name “(Default)” -Value ” -Force -ea SilentlyContinue

    The problem is it’s writing to WOW6432Node\CLSID.

    Reply
    • I found my solution to the writing to the registry in the wrong place. I need the following in the command field to make sure it writes to HKCU:\Software\

      %windir%\sysnative\WindowsPowerShell\v1.0\Powershell.exe

      Now I need advice on how to check that the program succeeded b/c the Detection rule can’t see, or sees the wrong place when I tell it to check “HKCU:\Software….”

      Reply
      • Glad you got it working. The powershell command change was probably due to where you wanted the registry key to go. Writing keys to HKCU:\Software can be tricky if PowerShell is running in 64bit mode. There is an option in Intune when creating an app that let’s you select if PowerShell runs as 64bit or not. Altering this switch could also resolve your issue. Depending on you selection the key could go to HKCU:\Software\Wow6432Node instead of HKCU:\Software\ like you expect.

        Reply
  3. Hi,

    When applying ‘CURRENT_USER’ registry fixes via either App or Remediation, is it safe/ok to use device based group assignments, or best just to stick to user groups?

    Reply
  4. I found the answer. Detection of HKCU in InTune app does work if you start it with what’s displayed in regedit – HKEY_CURRENT_USER\Software\

    Reply

Leave a Comment