How to Deploy a Registry Key using Proactive Remediation

Deploy registry keys with proactive rememdiation

Today I am going to explain a REALLY simple way to deploy a registry key with Proactive Remediation. Endpoint Manager has come a long way since its early Intune days, but there are still some things that you can’t do like you can in Active Directory Group Policy. For example, you may have a custom registry key which contains the address for an on premise license server for a particular application. Active Directory Group Policy allows you to push these keys into the local device registry, but as of this writing, Microsoft Endpoint Manager (MEM) does not.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table of Contents

What are Proactive Remediations?
Prerequisites
Creating a Good Script Package
How to Deploy your Script Package
Conclusion

What are Proactive Remediations?

The engineers over at Microsoft acknowledged pretty early on that it would take some time to get a cloud solution to function as robustly as the on premise combination of Active Directory and Configuration Manager. With decades of development behind those solutions, there was a reason it was the industry standard with large scale competitors. With that in mind, the created a tool to allow creative administrators the ability to create and deploy their own custom policies, from the cloud, without having to jump through several hoops or reinvent the wheel. This is where Proactive Remediations come in to the picture.

In its basic form, the proactive remediation is a simple tool that utilizes PowerShell scripting to detect a setting, and remediate it if it is missing. However, MEM Guru’s and system administrators alike have used the simplicity of proactive remediations to create some powerful tools. Each proactive remediation requires a detection script before it can be deployed. It also can include an optional remediation script, in case you want to use it for reporting purposes rather than remediation purposes.

Today we are going to focus on deploying a registry key with Proactive Remediation. This is a method that will likely be helpful long-term as it may be a while before custom registry keys are enabled via MEM policy. First, we have a few thing basic PowerShell techniques we will use and one FANTASTIC tool that will make this process much easier. Some PowerShell scripting experience is recommended, but I will try to create a basic template you can use even if you have no PowerShell experience at all.

Prerequisites

There are a few things you must have for this to work. Chances are if you are here, you probably already have these met, but let’s go over them just to be sure.

  • Devices Enrolled in Endpoint Analytics
    • Proactive Remediations is included as part of the Endpoint Analytics package of MEM, so this must be configured for at least the minimal level of reporting to function correctly.
  • Devices must be Azure AD-Joined or Hybrid Joined
    • This makes sense right? If MEM isn’t managing the device, it can’t deploy policies or scripts.
  • Licensing Requirements
    • This is a Microsoft Product, so there is a licensing Requirement. This attestation will come up the first time you turn this on, so you have to make sure you can meet this license requirement for it to work. Otherwise, chances are Microsoft will charge you for it later.
  • Permissions or Role Requirements
    • To enable and deploy these proactive remediations, you must be a Global Administrator, or Intune Service Administrator

Those are the basic prerequisites. If you are curious about this and what other restrictions are in place, you can read more about it on Microsoft’s page here.

Creating a Good Script Package

With every Proactive Remediation you create, you need to start with a detection script. Every working detection script should have a minimum of three things:

  1. A Try-Catch Statement (to handle errors)
    • This helps with troubleshooting problematic code. Try-Catch will ensure that you decide what level or error you want output to the console.
  2. An If-Else Statement (to test for settings)
    • If-Else will ensure that the script package detects the setting in question, and determines whether remediation is necessary.
  3. An Exit statement.
    • While exit statements aren’t always required in PowerShell, Proactive Remediations uses exit codes to help define behavior of the script. Exit codes are a requirement to ensure accurate transition to the remediation step when necessary.

Having all three of these things with each detection script will give you the best chance of using this tool successfully. I won’t go into the specifics of the Try-Catch here, as many more people have written better write-ups on the subject than I ever could. HERE is an excellent example. Read that if you need more information about the Try-Catch.

For this If-Else statement comes one of my favorite finds on the Internet. I’m not sure who Roger Zander is, but I greatly appreciate this Registry-to-PowerShell conversion tool. This will take any exported registry key, and give you an output of a Detection script (Check Script) and the Remediation script. This is a huge time saver for anyone who has to create a ton of these policies. It is also an excellent tool for anyone who isn’t proficient with PowerShell or is just getting started.

Exit codes are pretty straightforward. Proactive Remediations requires the use of “Exit 1” as an indication that the script package needs to go to the Remediation step. We are now ready to create our first script to apply a registry key with a Proactive Remediation.

Basic Starting Script

Now that we understand our three main elements, this is what our basic starting detection script will look like:

Basic Starting Proactive Remediations Script
Basic Starting Proactive Remediations Script

You can find a copy of these script templates here if you want.

One main thing to note, is that using the Reg-to-Posh Converter will NOT need the IF statement in the template. That is there as a starting point so you know where to put the Output you get from this tool. It also works as a solid template to start from for any other basic Proactive Remediation scripts whether it has a registry key or not.

Lets Try a Quick Example

Detection Script

Let’s say for example that you want to make sure the registry key for OneDrive is configured to run at startup. First, we want to make sure it is set to run at startup in the application itself. Next, we would want to find that RegKey and export it from the registry. Once you have it exported, open it in a text editor like VS Code, and copy the text.

Registry Key in VS Code
Registry Key in VS Code

Then you want to CAREFULLY remove any lines that you don’t want to modify. (In general, it is best to only deploy registry key changes to the keys you want to change. This helps avoid unintended consequences.) Be sure to leave the [location] for the key you want to modify as well as the parameters. Once you have it parsed down, copy the entire text and go to the Reg-to-Posh Converter. Paste the text into the top-white area on the page, and hit the “Get Check Script” option.

registry key to powershell conversion
Registry to PowerShell – Makes Life Easy

Copy and paste the IF-Else portion of this text into the PR-Detect-Template.ps1 file in the appropriate location, and resave it with a new name. (We already have our own Try-Catch setup.) I called mine Detect-OneDriveAtStartup.ps1. I prefer names that are pretty obvious as to what they are.

Now there is one last step I usually do. The output for the “Get Check Script” uses a “return $false” to indicate that the setting is missing. This doesn’t work as well in Proactive Remediations, so I usually do a CTRL + F to find all those instances, and replace it with the “Exit 1” we talked about earlier.

registry key script creation
Detect-OneDriveAtStartup.ps1
Remediation Script

Now go back to the Reg-to-Posh converter, and hi the “Get remediation Script” button. This should change the script to one that will make the registry changes you wish to make. The conversion tool does not use a Try-Catch here, so you can copy the entire text, and paste it into the PR-Rem-Template.ps1 file. Resave that one with a new name as well. It should look like this when you are done.

remediation script for registry key
Remediate-OneDriveAtStartup.ps1

How to Deploy your Script Package

Now that we have our script package, it is time to deploy these scripts to our test group.

  1. Sign into Microsoft Endpoint Manager, and navigate to the Reports section.
MEM Console Reports
MEM Console Reports
  1. From here, click on Proactive Remediations and create a new Script Package
Proactive Remediations Page
Proactive Remediations Page
  1. Give your script package a name, and description, then hit Next.
Basics Page of Script Package
Basics Page of Script Package
  1. On the Settings page, you will need to upload the Detect and Remediation Scripts we created. If your environment requires script signing, be sure to do that before you upload them. The hit the sliders on the options that the bottom that suit your environment. I always choose to run in 64-bit PowerShell for performance reasons, but the defaults are fine for the others.
proactive remediation settings configured
PR Settings Configured
  1. Hit Next and adjust the scope to meet your needs. Hit next again, and choose your test group to deploy to. Add a filter if necessary, and then we will adjust the time frame. Click on Daily to adjust the schedule. For something like a registry key, you may only want to run this once a day as the device likely needs a reboot to apply anyways.
proactive remediation deployment assignments
Deployment Assignments
  1. Finally, hit Next to review your settings, then Create when you are finished.
script package deployed and working
Deployed and ready to go

Conclusion

That is it! We have deployed a registry key to our devices using a Proactive Remediation Script Package. Monitor over the next day or so to see if you get any errors or if it works correctly. This is my favorite method for trying to deploy registry keys. Unlike the built in PowerShell scripts, Proactive Remediations run on a schedule. It’s perfect for trying to apply settings that aren’t in a built in policy yet, or moving on-premises group policies to the cloud. Remember to review these regularly, and to correct any errors you see. I hope this was helpful to you and that you can find ways to make this useful in your environment.

Hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →