Deploying HKCU registry changes while blocking PowerShell.

Deploying HKCU registry changes while blocking PowerShell.

Microsoft just released an update to Intune. The old GPO’s structure is back. But it is still missing settings… Sometimes you really want to push a simple hkey_current_user setting.

Normally that is not a problem when you are NOT blocking PowerShell 🙂 . The only thing you need to do is to configure the script to run in the user context

But my opinion.. not blocking PowerShell for the non-admins is a no go.

Because malware/cryptoware/privilege escalation uses most of the time Powershell. And a normal user.. does not need access to PowerShell (except for loading scripts 🙂 )

So how can you make sure a user always gets the registry keys when the user logs in?

I know deploying a PowerShell script in intune is very simple to do… this is a little bit different. This is the PowerShell script which need to be run as system instead of current user which you normally do when you want to deploy a hkcu key.

——————————————————————————————————————–

$content = @’
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\OneDrive]
“Test”=dword:00000001
‘@

$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\onedrive.reg) -Encoding unicode -Force -InputObject $content -Confirm:$false

$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut(“$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\config.lnk”)
$Shortcut.TargetPath = ‘”c:\windows\System32\reg.exe”‘
$Shortcut.Arguments = “import c:\programdata\CustomScripts\onedrive.reg”
$Shortcut.WorkingDirectory = ‘”c:\programdata\CustomScripts\”‘
$Shortcut.Save()


So as you can see. I just use reg.exe to import the .reg file and create a shortcut to the all users startup folder. You can also create a intunewin installer to make sure this is done when the device is deployed to azure ad for the first time.

Please note: You can’t change/add/remove a registry key in the HKEY_CURRENT_USER\Software\Policies path. It will not work, because it would be very weird if you could change the policies that have been applied as a regular user!

Conclusion:

Blocking Powershell is very important but it can put you in a difficult situation when you need to change some HKCU setting…luckily you can use reg.exe

3 thoughts on “Deploying HKCU registry changes while blocking PowerShell.

  1. Pingback: Once upon a time in the automount of OneDrive team sites - Call4Cloud
  2. Hi
    I have tried to implement this using intunewin and System install behavior, but it fails to run.
    I have tested running the script on my Windows 10 lab PC and it does work.
    I am using the following command in the Win32 App config to run the ps1 file:
    powershell.exe -executionpolicy bypass -Windowstyle Hidden -file “.\Test.ps1.ps1”
    Can you please assist?

    1. Hi

      I have created an install.cmd inside the folder where the powershell script is located.

      install.cmd content:
      powershell.exe -executionpolicy bypass -command “& ‘.\Windows10_Onedrive.ps1′”

      The install.cmd is called upon in the install command inside intune

Leave a Reply

Your email address will not be published. Required fields are marked *

88  +    =  97