Introduction
If you manage Windows devices with Microsoft Intune, this is the only registry script you’ll ever need.
You need to configure a registry setting that isn’t in Settings Catalog. Maybe it’s a binary value like Outlook font preferences with no CSP support. Maybe you need to delete leftover registry keys from a legacy app. And you need it applied to all user profiles on shared devices – not just one.
Remediations in Intune can help, but writing scripts that handle all these scenarios correctly takes time.
This PowerShell template handles the hard parts:
- Runs as SYSTEM by design – manages both user and machine registry from one script, works in environments with strict AppLocker or WDAC policies, and avoids Constrained Language Mode restrictions
- Reaches HKCU settings for all users by enumerating SIDs in HKU
- Supports both traditional AD and Microsoft Entra ID joined devices
- Handles all registry types – String, DWord, Binary, MultiString
- Three actions: Set, Delete, and DeleteKey
Single template for both detection and remediation. Modify the configuration section, save two copies, upload to Intune. Done.
How it works
The script runs as SYSTEM through Intune Remediations. This is intentional.
Running as SYSTEM means the script works in environments with AppLocker or WDAC policies that block user-context scripts. It also avoids Constrained Language Mode restrictions that limit advanced PowerShell functionality.
For HKLM settings, the script writes directly to the registry.
For HKCU settings, it’s more interesting. The script enumerates all user SIDs under HKU (the registry hive that contains every user’s HKCU). It filters for real user accounts – both traditional Active Directory SIDs (S-1-5-21-) and Microsoft Entra ID SIDs (S-1-12-1-). Then it applies your settings to each one.
This means a single script handles all users on shared devices – no need for user-context scripts.
Getting started
Download the script from GitHub: https://github.com/imabdk/Intune-Registry-Management
Open Detect-Remediate-Registry-Template.ps1 and scroll to the configuration section. You’ll find two arrays:
- $UserConfigs – for settings that go into each user’s HKCU
- $MachineConfigs – for settings that go into HKLM
Each configuration group needs a Name, Description, BasePath (the registry path without HKCU or HKLM), and one or more Settings.
Here’s the structure:
@{
Name = "My Setting"
Description = "What this setting does"
BasePath = "SOFTWARE\MyCompany\MyApp"
Settings = @(
@{
Name = "ValueName"
Type = "DWord"
Value = 1
}
)
}
Once you’ve added your settings, save two copies of the script:
- Detection script – set
$runRemediation = $false - Remediation script – set
$runRemediation = $true
That’s it. Same script, same configuration.
Deploying to Intune
In the Microsoft Intune admin center, navigate to Devices > Scripts and remediations > Remediations.
Click Create and give your remediation a name. I use Registry-Management-HKCU-HKLM – clear and covers both scopes.
Upload your two scripts:
- Detection script – the copy with
$runRemediation = $false - Remediation script – the copy with
$runRemediation = $true
Under Settings, configure:
- Run this script using the logged-on credentials – No
- Run script in 64-bit PowerShell – Yes
The first setting ensures the script runs as SYSTEM. The second ensures proper registry access on 64-bit Windows.
Assign to a group, set your schedule, and deploy.
In Monitor > Device status, you’ll see devices reporting With issues (non-compliant, needs remediation) or Without issues (compliant). After remediation runs, non-compliant devices should flip to compliant on the next detection cycle.
Verification
Once deployed, there are three ways to confirm everything worked.
In Intune
Navigate to your remediation and open Monitor > Device status. The Detection status column shows the last output from your script. Look for:
[REGISTRYMGMT] COMPLIANT - All settings are correct[REGISTRYMGMT] SUCCESS - All settings remediated successfully
If something failed, you’ll see [REGISTRYMGMT] FAILED or [REGISTRYMGMT] NON-COMPLIANT with details about which settings didn’t match.
On the device – log file
Remediations log to HealthScripts.log. Open it in CMTrace or your favorite log viewer and search for [REGISTRYMGMT] to see the script output.
On the device – registry
Open Registry Editor and navigate to your configured paths. For HKCU settings, check under HKEY_CURRENT_USER. For HKLM settings, check under HKEY_LOCAL_MACHINE.
If you used the sample configuration from the script, look for HKEY_CURRENT_USER\SOFTWARE\imab.dk and HKEY_LOCAL_MACHINE\SOFTWARE\imab.dk. You should see the values you configured.
ENJOY 🙂