Intune offers multiple methods for setting registry keys but this article will focus on the simplest method - using Startup Scripts.

Options Overview

There are 3 ways to set registry keys with Intune. Briefly here are some reasons why you might consider one method over another.

1. Proactive Remediations
   Remediation scripts provide a way to periodically check for compliance, which is especially useful when users have administrative privileges and may alter registry keys you've configured.
   
   However, using these scripts requires E3 or E5 licensing, which can be prohibitively expensive for many businesses.
2. Win32 Apps
   You can bundle PowerShell scripts that set registry keys into Win32 apps for deployment across devices. Additionally, custom detection rules can be written to verify the successful 'installation' of an app.
   
   This capability can theoretically be repurposed to monitor registry keys for changes. If a change is detected, Intune can trigger an app 'reinstall' to reset the registry keys, simulating a remediation script.
   
   I may write a blog post on this in the future.
3. Startup Scripts
   Finally there are simple Startup scripts.
   
   In contrast to Win32 Apps/Remediation scripts, startup scripts will only run once per device/user for a given version of a script and doesn't have any detection/monitoring capabilities.
   
   This can mean that registry keys you've set can drift over time if users are tampering with settings. But, it is also by far the easiest way to roll out some keys to your device fleet.

Setting Registry Keys with Startup Scripts

To set HKLM and HKCU registry keys in Intune, we use an approach similar to Group Policy (GPO). HKLM policies need to run in the computer's context, while HKCU keys must run in the context of the logged-in user.

To achieve this, we use three key components: a platform script configuration for HKLM, a platform script configuration for HKCU, and finally, the script itself.

HKLM Registry Keys

To create a new startup script browse here and click Windows 10 and later.

The script settings toggles need to set as listed below to run in the context of SYSTEM and needs to be assigned to devices.

HKCU Registry Keys

For HKCU changes, the script needs to be run in the context of the logged in user.

The Script

Finally, we have the script itself. Here’s how it works, first it defines two functions:

1. Logging Function: This function writes logs to a file, creating the file if it doesn’t already exist. This helps maintain a record of script actions but is mainly useful for you to debug things.
2. Registry Key Function: This function checks if the specified registry path and key exist. If they don’t, it creates or updates them as needed.

If either function encounters an error, the script exits with a code of 1, which enables Intune to accurately report a failed deployment.

Lastly, the script specifies the location of the log file and the registry settings to configure.

To use the script, download it and follow these guidelines:

1. Update the Registry Key Section: Modify the script's registry key section to include the keys you want to set keeping in mind to keep HKLM and HKCU changes in separate scripts.
   
   The sample registry keys in there disable features like LLMNR, and WPAD which I've previously written about.
2. Log Location: The log location needs to be set to a location that the user can write to, as permissions may restrict access otherwise (keep this in mind for HKCU startup scripts).
3. PowerShell Dictionary Syntax: For each registry key you want to add in $registrySettings, remember that the last entry should not have a trailing comma.
4. Testing the Script: To test, run the script as an administrator for HKLM changes and as a regular user for HKCU changes. Review the log file to confirm the applied registry updates.