The HKCU Registry bridge On the River PowerShell.

The HKCU Registry bridge On the River PowerShell.

This blog will show you the 2 options you got when you need to deploy HKEY_Current_User Registry changes that need to reapply at each user login or each hour. When you are blocking PowerShell this could be difficult

I will divide this blog into 4 parts

  1. Intro
  2. PowerShell Script
  3. ProActive Remediations
  4. Conclusion

1.Intro

Microsoft is continuously improving Intune so you have got 2 options now to configure some old fashioned GPO settings. You could do this with the Administrative Templates or by the preferred option, the Settings Catalog!

But in my opinion, both of them are still missing some settings… Sometimes you really want to push a simple HKey_Current_User (HKCU) setting and you noticed that the setting you which to configure. is not available in the Settings Catalog or administrative templates.

As an example: When you are using OneDrive and you configured the settings to automount team sites and you want to speed things up a little bit

Normally that is not a problem when you are NOT blocking PowerShell 🙂 . The only thing you need to do is to configure the script to run in the user context.

But my opinion.. not blocking PowerShell for the non-admins is a no go. It’s just my opinion but if you want to read more about this….

If you have read the blog above you will know why I prefer to block PowerShell. It’s because malware/cryptoware/privilege escalation uses most of the time Powershell. And a normal user.. does not need access to PowerShell (except for loading scripts….)

So how can you make sure a user always gets the registry keys necessary? We also need to beware of the fact, the TimerAutoMount key will be reset, when OneDrive has successfully mounted the Sharepoint sites. So we need to have a solution that changes this key for each logon or each hour

I will show you the 2 options we have got:

2. PowerShell Script

I know deploying a PowerShell script in intune is very simple to do… this is a little bit different. This is the PowerShell script that needs to be run as system instead of the current user which you normally do when you want to deploy an HKCU key.

PowerShell Script:

$content = @'
 Windows Registry Editor Version 5.00
 [HKEY_CURRENT_USER\Software\Microsoft\OneDrive]
 "Test"=dword:00000001
 '@

$path = $(Join-Path $env:ProgramData CustomScripts)
 if (!(Test-Path $path))
 {
 New-Item -Path $path -ItemType Directory -Force -Confirm:$false
 }
 Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\onedrive.reg) -Encoding unicode -Force -InputObject $content -Confirm:$false

$WshShell = New-Object -comObject WScript.Shell
 $Shortcut = $WshShell.CreateShortcut("$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\config.lnk")
 $Shortcut.TargetPath = '"c:\windows\System32\reg.exe"'
 $Shortcut.Arguments = "import c:\programdata\CustomScripts\onedrive.reg"
 $Shortcut.WorkingDirectory = '"c:\programdata\CustomScripts\"'
 $Shortcut.Save()

As shown above, you can see I just make use of reg.exe to import the .reg file and create a shortcut to the all users startup folder to make sure this reg file is imported on startup.

You can also create a intunewin installer to make sure this is done when the device is deployed to Azure ad for the first time.

Please note: You can’t change/add/remove a registry key in the HKEY_CURRENT_USER\Software\Policies path. It will not work, because it would be very weird if you could change the policies that have been applied as a regular user!

3. ProActive Remediations

In this option, I will use ProActive remediations. If you want to see my other ideas with ProActive Remediations…

https://call4cloud.nl/category/proactive-remediations/

How are we going to make sure we can read the TimerAutoMount key in the HKEY_Current_User registry section and let alone stand it, change it!

Here is how!

Detection Script:

New-PSDrive HKU Registry HKEY_USERS | out-null
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
$key = "HKU:\$sid\Software\Microsoft\OneDrive\Accounts\Business1"
$val = (Get-Item "HKU:\$sid\Software\Microsoft\OneDrive\Accounts\Business1");
$Timer = $val.GetValue("TimerAutoMount");

##################################
#Launch Timer Detection         #
##################################

if($Timer -ne 1)
{
    Write-Host "TimerAutoMount Needs to be changed!"
    Exit 1
}
else
{
    Write-Host "TimerAutoMount doesn't need to be changed"
    Exit 0
}

Remediation Script

New-PSDrive HKU Registry HKEY_USERS | out-null
$user = get-wmiobject -Class Win32_Computersystem | select Username;
$sid = (New-Object System.Security.Principal.NTAccount($user.UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value;
$key = "HKU:\$sid\Software\Microsoft\OneDrive\Accounts\Business1"
$val = (Get-Item "HKU:\$sid\Software\Microsoft\OneDrive\Accounts\Business1") | out-null
$reg = Get-Itemproperty -Path $key -Name TimerAutoMount -erroraction 'silentlycontinue'

##################################
#Launch timer  detection       #
##################################

if(-not($reg))
	{
		Write-Host "Registry key didn't exist, creating it now"
                New-Itemproperty -path $Key -name "TimerAutoMount" -value "1"  -PropertyType "qword" | out-null
		exit 1
	} 
else
	{
 		Write-Host "Registry key changed to 1"
		Set-ItemProperty  -path $key -name "TimerAutomount" -value "1" | out-null
		Exit 0  
	}
 

Go open the ProActive Remediations and take a loot at the outcome!

And yes of course, it has been remediated!

Isn’t this cool? With this solution, you could change the user registry key each hour (when it’s not configured to 1).

Do you know what else is great? When you don’t want a policy to be targeted at the device (HKLM:\software\policies) maybe you could even change HKCU:\software\policies settings with this idea?

Conclusion:

Blocking Powershell is very important but it can put you in a difficult situation when you need to change some HKCU setting…Deploy 1 of these 2 ideas and watch it pouring down to the devices!

Funny Animated The Simpsons Gifs

Of course, you will know I prefer the pro-active remediations…. they are great!

3 thoughts on “The HKCU Registry bridge On the River PowerShell.

  1. Pingback: Once upon a time in the automount of OneDrive team sites - Call4Cloud
  2. Hi
    I have tried to implement this using intunewin and System install behavior, but it fails to run.
    I have tested running the script on my Windows 10 lab PC and it does work.
    I am using the following command in the Win32 App config to run the ps1 file:
    powershell.exe -executionpolicy bypass -Windowstyle Hidden -file “.\Test.ps1.ps1”
    Can you please assist?

    1. Hi

      I have created an install.cmd inside the folder where the powershell script is located.

      install.cmd content:
      powershell.exe -executionpolicy bypass -command “& ‘.\Windows10_Onedrive.ps1′”

      The install.cmd is called upon in the install command inside intune

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  30  =  38