When it comes to domain-joined clients, making registry setting changes was a breeze with tools like Group Policy Preferences. However, the landscape is different within Microsoft Intune. While Intune offers a Settings Catalog, Templates in a configuration profile, and the option to explore OMA-URIs for configuring settings, there are still situations where you’ll need to set registry keys directly.
In Intune, you can leverage PowerShell scripts that execute once per user or device, giving you the flexibility to work within user or system contexts. These scripts are delivered to the device via the Intune Management Extension (IME) and are executed as needed. When scripts run under the system context, users don’t have to be logged in for them to take effect. If you make updates to the script, it will run again. When set to run in user context and the user has local administrative privileges, the script will execute with administrative rights.
This approach is ideal for scenarios where you need to modify registry keys once. For more frequent executions, you can also explore Proactive Remediation, a part of Endpoint Analytics that allows you to schedule scripts to run as detect/remediate pairs.
Here’s a step-by-step guide to getting started with setting registry keys using a PowerShell script:
- Prepare a PowerShell script. Below is an example to set the “RegisteredOwner” value in the Windows registry:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name User -Value "email@example.com"
- Save the script.
- In the Intune portal, go to “Devices” > “Scripts” > “Platform Scripts”and add a new script (Windows 10 or later).
- Fill out the basics screen with a name and an optional description.
- On the “Script Settings” page, upload your PowerShell script.
- Configure the script using the following options:
- “Run this script using the logged-on credentials”: Select “Yes” to run in user context or “No” for system context. This depends on where you want to set the registry keys of course. System hives should be system context.
- “Enforce script signature check”: No
- “Run script in 64-bit PowerShell Host”: Yes
Assign the script to users or devices as needed.
Managing client registry keys within Intune is made simpler with this approach, giving you the flexibility to deploy changes with ease. Keep in mind that while the example provided here sets the ‘User’ value, there might be CSP or maybe even a settings catalog setting available for your needs.