HKCU Registry Keys and Intune

So I have been tasked with hiding certain control panel icons. I have modified the Deploy-Application.ps1 file to do everything I want.

In the Install steps it does this

$RegSettings = {
                Set-RegistryKey -Key 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCPL' -Name 'Security and Maintenance' -Value 'Security and Maintenance'
                Set-RegistryKey -Key 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowCPL' -Value 1 -Type 'DWord'
                }
    
            # Invoke the registry settings for all users
                Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $RegSettings

In the Uninstall steps it does this

$RemoveRegSettings = { 
            Remove-RegistryKey -Key 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Recurse
            }
    
            # Invoke the registry settings for all users
            Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $RemoveRegSettings

This is my detection rule for the application

$Path = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer"

Try {
    # Check if the registry key exists
    $RegistryKey = Get-Item -Path $Path -ErrorAction Stop
    If ($RegistryKey) {
        Write-Output "Detected"
        Exit 0
    } 
    Exit 1
} 
Catch {
    Exit 1
}

When I run the Deploy-Application.exe from commandline on my machine, the relevant registry keys are created and are removed with the uninstall switch.

When I package this up into an intune win file for intune, The application runs successfully, The detection script exits with code 0

But the keys are not created.

I dont know why this is the case. Im using the same installation command on my own machine but the keys are not created on my intune device

Anyone have any ideas?

Thanks

The first thing that springs to mind is how are you targetting the application deployment in Intune User or System?
If you are not specifically choosing user, it will default to System…
As such, as you are applying those registry keys to HKCU, this will likely be applied to the System account, not the logged on user
I guess you could check the registry to see if those keys are set below the System account to confirm my theory

1 Like

Well I was doing it in system context.

To my understanding choosing in user context means it wont run as admininstrator? Correct me if Im wrong here.

Running the application with user rights means the registry keys wont get created.

Apologies, I didn’t read your post thorougly enough :grin:
It looks like you are doing the correct thing to apply these settings to all Users registry settings.
However, I wonder if the order of the registry key creation here might be the issue - I think the 2nd Set-Registry line should be first, as the 1st Set-Registry line is trying to add a key below the DisallowCPL key that may not exist (until the 2nd line has been run)

So I think you could try this:

$RegSettings = {
                Set-RegistryKey -Key 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name 'DisallowCPL' -Value 1 -Type 'DWord'
                Set-RegistryKey -Key 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCPL' -Name 'Security and Maintenance' -Value 'Security and Maintenance'
                }

Just an idea :person_shrugging:

I ended up doing this with remediation instead which has worked. Would be good to know though regardless.

Ill keep testing stuff. Thanks

1 Like
 [scriptblock]$HKCURegistrySettings = {
         Set-RegistryKey -Key "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCPL'" -Name "Security and Maintenance" -Value "Security and Maintenance" -Type String -SID $UserProfile.SID -ContinueOnError $false
        Set-RegistryKey -Key "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "DisallowCPL'" -Value "DWord" -Type DWord -SID $UserProfile.SID -ContinueOnError $false
 }
 Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings

As above - you were missing the -SID $UserProfile.SID bit there!

BTW your detection rule is looking at HKCU for the system account, so the original version would not work for new users logging on. A remediation script in pure user context sounds like the better approach.