You can use Microsoft Intune for manipulating the registry to send registry changes. This is crucial for IT admins who manage device settings. Manipulating the registry helps with tasks like setting up VPN clients efficiently. By importing a .reg file, you can quickly configure settings. Many companies rely on this method to keep remote access secure and consistent for all users. However, challenges arise when importing .reg files, such as considering system versus user context and understanding different registry paths for 32-bit and 64-bit systems. Addressing these factors helps prevent errors and ensures your setup works correctly.

Key Takeaways

• You can use PowerShell scripts, Proactive Remediations, or Win32 Apps in Intune. Pick the one that fits your needs and how hard the task is.

• Always run scripts in the right way. Make sure you pick the correct registry view, either 32-bit or 64-bit. This helps stop mistakes and wrong settings.

• Test your scripts in a safe place before you use them for real. Watch how things go by using Intune reports and device logs.

• Proactive Remediations help keep registry settings right over time. They check and fix problems by themselves on a set schedule.

• Use detection rules and package Win32 Apps the right way. This makes sure registry changes work well and are easy to check.

Manipulating the Registry: Methods

When you use Microsoft Intune, you have a few ways to change the registry on Windows devices. Each way is good for different jobs. You can pick the best one for what you need, like setting up a VPN client or making sure security settings are right.

PowerShell Scripts

PowerShell scripts let you change the registry fast. You can write a script to add, change, or remove registry keys. This is good for changes you only need to do once, like turning off a pop-up. You upload your script to Intune and send it to devices. The script runs one time and makes your changes. If you want the change to stay after a Windows update, you might need a different way.

Proactive Remediations

Proactive Remediations help you keep registry settings correct over time. You use two scripts. One script checks if the setting is right. The other script fixes it if it is wrong. Intune runs these scripts on a schedule. This is good for keeping things like VPN settings correct. You do not have to check every device. Intune finds and fixes problems for you.

Win32 Apps

Win32 Apps let you put registry changes with other files, like batch scripts or .reg files. You use a tool to put everything in one package. Intune puts the package on devices and runs your script to change the registry. This way gives you more control and lets you use detection rules. For example, you can check if a registry key is there and reinstall the app if it is missing. Win32 Apps are good for big jobs, like installing a VPN client that needs many registry changes.

Choosing the Right Method

Pick a way based on what you want to do:

Tip: Using Win32 Apps or Proactive Remediations helps keep settings the same, which is important for VPN setups.

You can use OMA-URI settings to make registry changes with policies, but this way does not work for every registry key. For most custom jobs, PowerShell scripts, Proactive Remediations, and Win32 Apps give you the tools to manage registry changes.

PowerShell Scripts

PowerShell scripts give you a flexible way to make registry changes on Windows devices managed by Intune. You can use these scripts to automate settings, fix problems, or prepare devices for new software. This section will guide you through the process, from script creation to deployment and troubleshooting.

Script Creation

Before you start manipulating the registry, you need to prepare your environment and script. Here are the steps you should follow:

1. Log in to the Microsoft Intune admin center with administrator credentials.

2. Go to Devices > Windows Devices > Scripts and Remediations > Platform Scripts > Add.

3. Give your script a clear name and description.

4. Upload your PowerShell script that will change the registry.

5. Set the script to run with system-level permissions for most registry changes.

6. Choose to run the script in a 64-bit PowerShell host if you want to target the 64-bit registry.

7. Assign the script to the right device groups in Microsoft Entra ID.

8. Review your settings and complete the deployment.

Tip: Always test your PowerShell scripts in a safe environment before you use them in production. This helps you catch mistakes and avoid problems on user devices.

When writing your script, use direct PowerShell commands. Avoid using VBS wrappers, as they are outdated and can cause issues. Store your scripts in a secure place, like a version control system, to keep track of changes.

Importing .reg Files

Sometimes, you want to import a .reg file instead of writing each registry change in PowerShell. You can do this by calling reg.exe from your script. For example:

reg.exe import "C:\Path\To\YourFile.reg" /reg:64

This command imports your .reg file into the 64-bit registry. Make sure the .reg file is on the device before you run the script. You can package the .reg file with your script if you use a Win32 app, or copy it to the device as part of your script.

Note: If you do not specify /reg:64, your changes might go to the wrong place, especially on 64-bit Windows. Always check your paths.

If your script fails to import the .reg file, check the file path and make sure the script has permission to access the file. Also, confirm that the registry path in the .reg file exists or create it in your script.

32-bit vs 64-bit Registry

Windows has two registry views: 32-bit and 64-bit. This can cause confusion when manipulating the registry. By default, Intune runs PowerShell scripts in a 32-bit process. If you want to write to the 64-bit registry (like HKLM\SOFTWARE), you need to:

• Set your script to run in a 64-bit PowerShell host in Intune.

• Use the /reg:64 flag with reg.exe when importing .reg files.

• Relaunch your script in a 64-bit process using the sysnative path if needed.

If you do not do this, your registry changes might end up in HKLM\SOFTWARE\WOW6432Node, which is not what you want for most system settings.

Troubleshooting: If your registry keys appear in the wrong place, check your script settings and make sure you are targeting the correct registry view.

System vs User Context

The context in which your script runs affects where registry changes apply. If you want to change settings for all users (HKLM), run your script in system context. If you need to change settings for the current user (HKCU), run the script in user context by enabling "Run this script using the logged-on credentials."

However, changing HKCU from system context does not affect the logged-in user's registry hive. You can work around this by targeting the HKEY_USERS hive and using the user's SID, but this is more advanced.

Tip: For most device-wide settings, use system context. For user-specific settings, use user context or design your script to update the correct user hive.

Deployment Steps

Follow these steps to deploy your PowerShell script with Intune:

1. Prepare and test your script in a lab environment.

2. Log in to the Intune admin center.

3. Add your script under Devices > Scripts and Remediations.

4. Choose the right context (system or user) and set the script to run in 64-bit mode if needed.

5. Assign the script to the correct device groups.

6. Monitor deployment status in Intune reports.

7. Check endpoint logs, such as IntuneManagementExtension and AgentExecutor, to verify that the script ran and the registry changes applied.

If your registry changes do not appear, check these common issues:

• The script ran in the wrong context (32-bit vs 64-bit, system vs user).

• The registry path did not exist, and the script did not create it.

• The script lacked permissions.

• The .reg file was missing or in the wrong location.

Security Note:

By following these steps, you can use PowerShell scripts in Intune to manage registry settings across your organization. This method gives you control and flexibility for many scenarios, from application deployment to ongoing compliance.

Proactive Remediations

Proactive Remediations in Intune help keep devices working well. They check and fix settings by themselves. You use two PowerShell scripts for this. One script looks for problems. The other script fixes them. This is a good way to make sure registry settings stay right.

Detection Scripts

You start with a detection script. This script checks if a registry key or value is there and set right. If something is wrong or missing, the script tells Intune to fix it. For example, you can write a script to look for a registry value that controls the Windows taskbar. If the value is not set how you want, the script exits with a special code.

# Example: Check if a registry value is set to 1
$regPath = "HKLM:\SOFTWARE\MyCompany\Settings"
$regName = "EnableFeature"
$value = Get-ItemProperty -Path $regPath -Name $regName -ErrorAction SilentlyContinue
if ($value.EnableFeature -ne 1) { exit 1 } else { exit 0 }

Tip: The detection script should only exit with 1 if something needs fixing.

Remediation Scripts

The remediation script fixes what the detection script finds. It makes or updates the registry key or value to what you want. For example, if you need a setting to be on, the script writes the right value to the registry.

# Example: Set the registry value to 1
$regPath = "HKLM:\SOFTWARE\MyCompany\Settings"
if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force }
Set-ItemProperty -Path $regPath -Name "EnableFeature" -Value 1

You upload both scripts to Intune as a package. Intune runs the detection script first. If it finds a problem, it runs the remediation script.

Assignment and Scheduling

You can give Proactive Remediations to all users, all devices, or certain groups. You can pick how often Intune checks and fixes things. You can run scripts once, every hour, or every day. Intune also runs scripts after a device restarts or a user signs in. This helps keep registry settings right without you checking each time.

Note: Proactive Remediations need

Proactive Remediations are a good way to watch and fix registry settings. By using them, you can keep your computers safe and the same.

Win32 Apps

Win32 Apps in Intune give you a powerful way to deploy registry changes along with other files and scripts. This method works well when you need to bundle several files, like a .reg file and PowerShell scripts, and control how they run on each device.

Packaging Registry Changes

To start, you need to package your registry changes for deployment. Follow these steps:

1. Export the registry keys you want to change into a .reg file using Registry Editor.

2. Write a PowerShell script (for example, install.ps1) that imports the .reg file with the command reg import .\YourExportedFile.reg.

3. If you want to remove the registry keys later, create an uninstall script (like uninstall.ps1).

4. Place the .reg file and both scripts in the same folder.

5. Use the Microsoft Win32 Content Prep Tool to package these files into a .intunewin file.

6. In the Intune admin center, go to Apps > All Apps > Create, and select Windows app (Win32).

7. Upload your .intunewin package.

8. Fill in the app details and set the install command to run your PowerShell script using the 64-bit PowerShell path:

%SystemRoot%\Sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File .\install.ps1

1. Assign the app to your chosen device or user groups.

2. Review and create the app.

Tip:

Importing .reg Files in Win32 Apps

You can import .reg files by calling reg import from your PowerShell script. Make sure the .reg file is in the same folder as your script. This method ensures that manipulating the registry happens smoothly during app installation. For user-specific keys, set the install behavior to "User" and adjust your script as needed.

Detection Rules

Detection rules help Intune check if your registry changes worked. You can set rules to look for a specific registry key or value. For example:

• Set the key path to the full registry location.

• Enter the value name you want to check.

• Choose the detection method, like checking if the key exists or comparing a string or number.

• Decide if you need to search the 32-bit registry hive on 64-bit systems.

Note: Good detection rules help Intune know if the app installed correctly or needs to run again.

Troubleshooting

If your registry changes do not apply, try these steps:

1. Check the Intune Management Extension logs with tools like CMTrace. These logs show each step, from downloading the app to running your script.

2. Make sure your script runs with admin rights and uses the correct PowerShell path.

3. Look for errors about permissions, missing files, or registry access.

4. Watch for common problems like 32-bit vs 64-bit registry confusion, network issues, or antivirus blocking your files.

5. Test your package on a test device before wide deployment.

If you see errors like

By following these steps, you can use Win32 Apps in Intune to manage registry settings across your devices with confidence.

Monitoring and Verification

Intune Reports

Intune has tools to help you watch your registry changes. These tools show which devices got your scripts or apps. You can see if the install is waiting, running, or done. Detection rules help you check if registry keys are there after you push changes. You can also use PowerShell scripts to look deeper. Intune status pages show how things are going and if anything failed. To see if you did well, compare these numbers to your goals for making changes.

• Watch install status: waiting, running, or done

• Use detection rules to check registry and MSI

• Keep an eye on how installs are going

• Look at helpdesk work and if users can get to what they need

Tip: Check Intune reports often so you can fix problems early and keep devices safe.

Endpoint Verification

You need to make sure registry changes really happened on each device. Check the right registry paths to see if settings match what you wanted. For example, look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device to see if your Intune settings are there. You can also get a report from the device. Go to Settings, Accounts, Access work or school, and look at the settings for the account. Event Viewer logs under DeviceManagement-Enterprise-Diagnostics-Provider show if the policy worked or had errors.

1. Look at registry keys in PolicyManager paths

2. Get a report from device settings

3. Check DeviceManagement-Enterprise-Diagnostics-Provider logs

4. Compare with Intune portal reports

Note: Checking the device gives you proof that your registry changes worked.

Troubleshooting Issues

Sometimes registry changes do not work right. First, check the deployment status in Intune. If you see problems, look at the logs on the device. Watch for errors about permissions, missing files, or registry access. Make sure your scripts run in the right way and use the right registry view, like 32-bit or 64-bit. If you use detection rules, check that they match the registry keys you want.

• Look at Intune Management Extension logs

• Check for permission or path problems

• Make sure script runs in the right context and registry view

• Change detection rules if you need to

If you see the same problems, fix your steps and test again before sending to all devices.

You can push registry changes with Intune in a few ways.

1. Proactive Remediations help check settings often and fix them if needed.

2. Win32 Apps let you send scripts and watch registry keys together.

3. Startup scripts are good for simple changes that only need to happen once.

Test your scripts with a small group before using them everywhere. Use

FAQ

How do you make sure registry changes apply to the right registry view (32-bit or 64-bit)?

Use the /reg:64 flag with reg.exe for 64-bit changes. In Intune, set your script to run in a 64-bit PowerShell host. Always check your registry path after deployment.

What should you do if your registry script fails in Intune?

Check the script’s permissions and file paths. Make sure you run the script in the correct context. Review Intune logs for errors. Test your script on a lab device before wide deployment.

Can you deploy user-specific registry changes with Intune?

Yes, you can. Run your script in user context by enabling "Run this script using the logged-on credentials." For advanced changes, target the user’s SID in the registry.

How do you verify registry changes on a device?

Open Registry Editor and check the key or value you changed. Use Intune reports to see deployment status. You can also run a PowerShell command to confirm the registry value.

Get-ItemProperty -Path "HKLM:\SOFTWARE\YourKey"

What is the best way to troubleshoot registry deployment issues?

Tip: Start by checking Intune Management Extension logs. Look for permission errors or missing files. Make sure you use the right registry view and context. Test your scripts on a single device before deploying to all users.