Change Registry value with Intune Remediations

In this post we will develop a script to change a registry key value and deploy with Intune using Remediations script.

Scenario

Let’s say that we want to enable automatic updates to an application or perform any other action that requires the alteration of a registry value. Although many applications (such as Microsoft 365 apps) allow us to use settings catalog and predefined settings directly from Intune portal, there are other applications that require manual intervention (or addition) to registry objects in order to apply specific functionalities.

There are two ways to perform this kind of actions:

  • Usage of a script and deployed through Intune as win32 application
  • Usage of Remediation script

The first approach does the job, but it requires more administrative work and isn’t flexible enough. The second approach is more flexible and allows us to better monitor the deployment and possible problems that may arise.

Remediations Script

The deployment consists of 2 parts. The first one is the detection one that will check if the key has the desired value, and if not the remediation part will be executed.

Detection Script

$date = Get-Date
$variableToReportToIntune = "$date"

# The variable below represents the path to the key
# Enter the desired key registry path here
$registryKeyLocation = "ENTER HERE REGISTRY KEY LOCATION"

# The variable below represents the value name
# Enter the desired value name here
$valueName = "ENTER HERE VALUE NAME"

try{
    $valueData = (Get-ItemProperty -Path $registryKeyLocation -Name $valueName -ErrorAction Stop).$ValueName
    $variableToReportToIntune = $variableToReportToIntune + " | The value is: $valueData"

    if ($valueData -ne "ENTER HERE THE DESIRED VALUE"){
        # remediate -> must change to zero
        $variableToReportToIntune = $variableToReportToIntune + " | Value does not have the desired value. Going to remediation"
        Write-Host $variableToReportToIntune
        EXIT 1
    }
    else{
        # value is desired
        $variableToReportToIntune = $variableToReportToIntune + " | Value has a desired value. Exiting."
        Write-Host $variableToReportToIntune
        EXIT 0
    }
}
# If value does not exist
catch [System.Management.Automation.PSArgumentException]{
    $variableToReportToIntune = $variableToReportToIntune + " | Value does not exist."
    Write-Host $variableToReportToIntune
}
# If Key does not exist
catch [System.Management.Automation.ItemNotFoundException]{
    $variableToReportToIntune = $variableToReportToIntune + " | Key does not exist."
    Write-Host $variableToReportToIntune
}
# Other error
catch{
    $errorMessage = $_.Exception.Message
    Write-Error $errorMessage
}

Remediation Script

$date = Get-Date
$variableToReportToIntune = "$date"

# The variable below represents the path to the key
# Enter the desired key registry path here
$registryKeyLocation = "ENTER HERE REGISTRY KEY LOCATION"

# The variable below represents the value name
# Enter the desired value name here
$valueName = "ENTER HERE VALUE NAME"
$desiredValue = "ENTER HERE THE DESIRED VALUE"

try{
    Set-ItemProperty -Path $registryKeyLocation -Name $valueName -Value $desiredValue
    $variableToReportToIntune = $variableToReportToIntune + " | Value set successfully"
    Write-Host $variableToReportToIntune
}
catch{
    $errorMessage = $_.Exception.Message
    Write-Error $errorMessage
}

The above 2 scripts are the foundation of a Remediation deployment that will change the registry key. For every deployment and use change, changes may be required to be made.

Use Case

Let’s see a use case scenario of the above, to better understand how it works and how to deploy it. In this scenario we want to force Mozilla Firefox to auto update. That way we will be sure that the latest version is installed to our endpoints. To do this we need to change a registry value (or add it, if it doesn’t exist). The registry key is located in HKLM:\Software\Policies\Mozilla\Firefox and the value name is AppAutoUpdate.

To change or create this value we will use the scripts above, but with an alteration, in order to create the value or the key accordingly if it doesn’t exist.

Detection Script

$date = Get-Date
$variableToReportToIntune = "$date"

# The variable below represents the path to the key
# Enter the desired key registry path here
$registryKeyLocation = "HKLM:\Software\Policies\Mozilla\Firefox"

# The variable below represents the value name
# Enter the desired value name here
$valueName = "AppAutoUpdate"

try{
    $valueData = (Get-ItemProperty -Path $registryKeyLocation -Name $valueName -ErrorAction Stop).$ValueName
    $variableToReportToIntune = $variableToReportToIntune + " | The value is: $valueData"

    if ($valueData -ne 1){
        # remediate -> must change to zero
        $variableToReportToIntune = $variableToReportToIntune + " | Value does not have the desired value. Going to remediation"
        Write-Host $variableToReportToIntune
        EXIT 1
    }
    else{
        # value is desired
        $variableToReportToIntune = $variableToReportToIntune + " | Value has a desired value. Exiting."
        Write-Host $variableToReportToIntune
        EXIT 0
    }
}
# If value does not exist
catch [System.Management.Automation.PSArgumentException]{
    $variableToReportToIntune = $variableToReportToIntune + " | Key exists, but value does not exist. Going to remediation"
    Write-Host $variableToReportToIntune
    EXIT 1
}
# If Key does not exist
catch [System.Management.Automation.ItemNotFoundException]{
    # Check if Firefox is installed
    $installedSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
    foreach ($app in $installedSoftware){
        $name = $app.GetValue("DisplayName")
        if ($name -ne $null){
            if ($name.Contains("Mozilla Firefox")){
                $variableToReportToIntune = $variableToReportToIntune + " | Key does not exist, but application is installed. Going to remediation."
                Write-Host $variableToReportToIntune
                EXIT 1
            }
        }
    }
    $variableToReportToIntune = $variableToReportToIntune + " | Key does not exist and application is not installed."
    Write-Host $variableToReportToIntune
}
# Other error
catch{
    $errorMessage = $_.Exception.Message
    Write-Error $errorMessage
}

Remediation Script

$date = Get-Date
$variableToReportToIntune = "$date"

# The variable below represents the path to the key
# Enter the desired key registry path here
$registryKeyLocation = "HKLM:\Software\Policies\Mozilla\Firefox"

# The variable below represents the value name
# Enter the desired value name here
$valueName = "AppAutoUpdate"
$desiredValue = 1

try{
    
    New-Item -Path $registryKeyLocation -Name "x"
    Set-ItemProperty -Path $registryKeyLocation -Name $valueName -Value $desiredValue -Force 
    $variableToReportToIntune = $variableToReportToIntune + " | Value set successfully"
    Write-Host $variableToReportToIntune
}
catch{
    $errorMessage = $_.Exception.Message
    Write-Error $errorMessage
}

try{
    $valueData = (Get-ItemProperty -Path $registryKeyLocation -Name $valueName -ErrorAction Stop).$ValueName
    $variableToReportToIntune = $variableToReportToIntune + " | The value is: $valueData"
    Set-ItemProperty -Path $registryKeyLocation -Name $valueName -Value $desiredValue -Force 
    $variableToReportToIntune = $variableToReportToIntune + " | Value changed successfully."
    Write-Host $variableToReportToIntune
}
# If value does not exist
catch [System.Management.Automation.PSArgumentException]{
    New-ItemProperty -Path $registryKeyLocation -Name $valueName -PropertyType Dword -Value $desiredValue -Force
    $variableToReportToIntune = $variableToReportToIntune + " | Value created successfully."
    Write-Host $variableToReportToIntune
}
# If Key does not exist
catch [System.Management.Automation.ItemNotFoundException]{
    New-Item $registryKeyLocation -Force | New-ItemProperty -Name $valueName -Value $desiredValue -Force
    $variableToReportToIntune = $variableToReportToIntune + " | Key created successfully."
    Write-Host $variableToReportToIntune
}
# Other error
catch{
    $errorMessage = $_.Exception.Message
    Write-Error $errorMessage
}

Now that we have the scripts, let’s create the Remediation deployment.

Head to Intune and the Devices blade and choose Remediations.

Create a new Remediation script package and give a name and a description to it.

remediations

At the next step, paste or navigate to the detection and remediation scripts we created previously.

Assign the remediation script to the desired devices group and define the schedule interval.

Review the remediation and create it.

When the script is deployed to an endpoint and run, we will see a relevant message in the Remediations blade.

References and documentation:

intuneregistryremediations
By IntuneLeave a Comment on Change Registry value with Intune Remediations

Leave a Reply

Your email address will not be published. Required fields are marked *