Microsoft just released an update to Intune. The old GPO’s structure is back. But it is still missing settings… Sometimes you really want to push a simple hkey_current_user setting.
Normally that is not a problem when you are NOT blocking PowerShell 🙂 . The only thing you need to do is to configure the script to run in the user context
But my opinion.. not blocking PowerShell for the non-admins is a no go.
Because malware/cryptoware/privilege escalation uses most of the time Powershell. And a normal user.. does not need access to PowerShell (except for loading scripts 🙂 )
So how can you make sure a user always gets the registry keys when the user logs in?
I know deploying a PowerShell script in intune is very simple to do… this is a little bit different. This is the PowerShell script which need to be run as system instead of current user which you normally do when you want to deploy a hkcu key.
$content = @’
Windows Registry Editor Version 5.00
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\onedrive.reg) -Encoding unicode -Force -InputObject $content -Confirm:$false
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut(“$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\config.lnk”)
$Shortcut.TargetPath = ‘”c:\windows\System32\reg.exe”‘
$Shortcut.Arguments = “import c:\programdata\CustomScripts\onedrive.reg”
$Shortcut.WorkingDirectory = ‘”c:\programdata\CustomScripts\”‘
So as you can see. I just use reg.exe to import the .reg file and create a shortcut to the all users startup folder. You can also create a intunewin installer to make sure this is done when the device is deployed to azure ad for the first time.
Please note: You can’t change/add/remove a registry key in the HKEY_CURRENT_USER\Software\Policies path. It will not work, because it would be very weird if you could change the policies that have been applied as a regular user!
Blocking Powershell is very important but it can put you in a difficult situation when you need to change some HKCU setting…luckily you can use reg.exe