Deploy HKCU Registry Keys Using Intune

January 15, 2023January 15, 2023 by Adam

Spread the love

Intune makes a lot of things really easy, but some things are just easier with GPO. Adding or changing registry keys for the current user in the HKEY_CURRENT_USER hive is one of the things that was far easier with GPO than it is in Intune. I’m really going to miss the days of OnPrem AD, OU’s, and GPO’s. Sad times we live in, or maybe I’m just old and frustrated with Microsoft.

Sadly, there are some configurations that we need to do as engineers or admins that require us to dive into the HKCU hive to make modifications.

Never fear, there is a way to deploy registry keys to HKCU using Intune though. You can package this as a Win32 app or you could use a Proactive Remediation. I’ve covered those methods in this post: Deploy PowerShell Scripts in Intune

You will want to create a new PowerShell script similar to the one below. In our example, we are creating a new value in HKCU:\Software called Test and setting the value equal to 1.

New-ItemProperty -LiteralPath 'HKCU:\Software' -Name "Test" -Value 1 -PropertyType "Dword" -Force -ea SilentlyContinue

Simple enough, right? The important part is during the Win32 app creation or Proactive Remediation, whichever you choose. We want to make sure that this runs in the user context, otherwise, it won’t work properly.

Win32 App Config

For a Win32 app, you must make sure to change the Install Behaviour to “User” instead of system.

deploy registry key intune win32 app

Proactive Remediation Config

If you choose a Proactive Remediation deployment for this, you want to make sure that the option to Run this script using the logged-on credentials is set to “Yes”.

See also Managed Desktop Icons and Shortcuts in Intune

deploy registry key intune proactive remediation

Other Options

Another option is to make your script load the registry key for all new users who sign in. This will not impact users who already have profiles on the device, only new users.

To do this, we use PowerShell again to enable access to the HKEY_USERS hive, and then you can create your key there.

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

New-ItemProperty -LiteralPath 'HKU:\.DEFAULT\Software' -Name "Test" -Value 1 -PropertyType "Dword" -Force -ea SilentlyContinue

Conclusion

Oh, the good old days of GPO are quickly going away and Microsoft doesn’t seem to want to make our lives easy. No worries, we found a workaround and now you know how to deploy registry keys using Intune to the current user registry hive.

Have Intune questions? Let me know in the comments.

I’ve been working in the IT field for nearly 15 years, specifically with desktop engineering. I have a degree in Computer Science as well as some industry certifications from Microsoft. Outside of work, I have 21 years of experience in various programming languages and enjoy making toy projects. I’m also an avid Linux user, currently using Manjaro as my main OS. I enjoy writing about my experiences in programming and with Linux as well.

Spread the love

12 thoughts on “Deploy HKCU Registry Keys Using Intune”

Kevin Hunter
March 10, 2023 at 5:21 pm
I’m trying to use InTune to run a PS script to create a new key (New-Item instead of New-ItemProperty) in HKCU. The script runs fine from a command line but doesn’t do anything from InTune. There’s not much to set up in InTune. So I don’t know where I’m going wrong.
Powershell.exe -ExecutionPolicy ByPass -File .\Win11_FE_menu_DISABLE.ps1
[Win11_FE_menu_DISABLE.ps1]
New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}”
New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name InprocServer32
Set-ItemProperty -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32″ -Name ‘(Default)’ -Value ” -Force
Reply
- Adam
  March 10, 2023 at 8:11 pm
  Hi Kevin, thanks for commenting. Assuming the code you put in the comment is the same as the code in your script I think the extra ” after -Value in the last line is causing a problem. Do all of the keys get created and the value just doesn’t get set? Did you set it to run in the user context?
  Reply
  - Kevin Hunter
    March 16, 2023 at 12:20 pm
    Those wee two single quotes to set the value to nothing. I tried again from scratch and the following works with an asterisk :
    New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Force -ea SilentlyContinue
    New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name “InprocServer32” -Force -ea SilentlyContinue
    Set-ItemProperty -LiteralPath “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32” -Name “(Default)” -Value ” -Force -ea SilentlyContinue
    The problem is it’s writing to WOW6432Node\CLSID.
    Reply
Kevin Hunter
March 16, 2023 at 12:21 pm
Those were two single quotes to set the value to nothing. I tried again from scratch and the following works with an asterisk :
New-Item -Path “HKCU:\Software\Classes\CLSID” -Name “{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Force -ea SilentlyContinue
New-Item -Path “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}” -Name “InprocServer32” -Force -ea SilentlyContinue
Set-ItemProperty -LiteralPath “HKCU:\Software\Classes\CLSID\{86CA1AA0-34AA-4E8B-A509-50C905BAE2A2}\InprocServer32” -Name “(Default)” -Value ” -Force -ea SilentlyContinue
The problem is it’s writing to WOW6432Node\CLSID.
Reply
- Kevin Hunter
  March 16, 2023 at 12:40 pm
  I found my solution to the writing to the registry in the wrong place. I need the following in the command field to make sure it writes to HKCU:\Software\
  %windir%\sysnative\WindowsPowerShell\v1.0\Powershell.exe
  Now I need advice on how to check that the program succeeded b/c the Detection rule can’t see, or sees the wrong place when I tell it to check “HKCU:\Software….”
  Reply
  - Adam
    March 17, 2023 at 10:05 am
    Glad you got it working. The powershell command change was probably due to where you wanted the registry key to go. Writing keys to HKCU:\Software can be tricky if PowerShell is running in 64bit mode. There is an option in Intune when creating an app that let’s you select if PowerShell runs as 64bit or not. Altering this switch could also resolve your issue. Depending on you selection the key could go to HKCU:\Software\Wow6432Node instead of HKCU:\Software\ like you expect.
    Reply
Trevor Buley
March 16, 2023 at 5:21 pm
Hi,
When applying ‘CURRENT_USER’ registry fixes via either App or Remediation, is it safe/ok to use device based group assignments, or best just to stick to user groups?
Reply
- Adam
  March 17, 2023 at 10:07 am
  I’ve used device based group assignments without any issue.
  Reply
Kevin Hunter
March 16, 2023 at 5:25 pm
I found the answer. Detection of HKCU in InTune app does work if you start it with what’s displayed in regedit – HKEY_CURRENT_USER\Software\
Reply
- Trevor Buley
  March 17, 2023 at 12:26 am
  Alas ‘HKEY_CURRENT_USER\’ did not work for me.
  The same script installs fine if directed to HKLM.
  Reply
  - Adam
    March 17, 2023 at 10:09 am
    I haven’t had any trouble with this. Do you mind sharing the contents of your script? Be sure to remove anything sensitive.
    Reply
Derek
June 15, 2023 at 3:37 pm
Doesn’t work I’m afraid.
Reply

Leave a Comment Cancel reply