Anavem
EnglishFrancais
Anavem
Languagefr
How to Manage Registry Keys with Microsoft Intune for GPO Migration

How to Manage Registry Keys with Microsoft Intune for GPO Migration

Learn to set, monitor, and manage Windows Registry keys using Microsoft Intune through PowerShell scripts, Proactive Remediations, and Win32 applications when transitioning from Group Policy Objects.

March 21, 2026 15 min
mediumintune 8 steps 15 min

Why Migrate Registry Management from Group Policy to Microsoft Intune?

As organizations transition from on-premises Active Directory to cloud-first management with Microsoft Intune, one of the most critical challenges is migrating Group Policy Object (GPO) configurations that rely heavily on Windows Registry modifications. Unlike GPOs that provide direct registry editing capabilities, Intune requires different approaches to achieve the same registry management outcomes.

What Methods Does Microsoft Intune Provide for Registry Key Management?

Microsoft Intune offers three primary methods for managing Windows Registry keys: Proactive Remediations (the preferred method for ongoing enforcement), PowerShell platform scripts (for one-time or scheduled execution), and Win32 applications (for install-time registry configuration). Each method serves different use cases and has specific advantages depending on your requirements.

How Do Proactive Remediations Compare to Traditional Group Policy Registry Settings?

Proactive Remediations provide continuous monitoring and enforcement of registry configurations, similar to how GPOs refresh policy settings. However, unlike GPOs that can directly edit any registry location through Administrative Templates, Intune's approach requires PowerShell scripting and careful consideration of execution context (System vs User) to access different registry hives like HKLM and HKCU.

This tutorial will guide you through implementing each method, from creating detection and remediation scripts to deploying Win32 applications with registry configurations. You'll learn to handle both HKLM and HKCU registry modifications, troubleshoot common issues, and establish monitoring procedures to ensure your registry configurations remain compliant across your managed device fleet.

Implementation Guide

Full Procedure

01

Access Microsoft Intune Admin Center and Verify Permissions

Start by signing into the Microsoft Intune admin center to verify your access and permissions. This is your central hub for all registry management operations.

# Open your web browser and navigate to:
https://intune.microsoft.com

Sign in with your Global Admin or Intune Admin credentials. Once logged in, navigate to Devices > Scripts and remediations to confirm you have access to the scripting features.

Pro tip: Bookmark the Intune admin center URL and consider using a dedicated browser profile for administrative tasks to avoid session conflicts.

Verification: You should see the "Scripts and remediations" option under the Devices menu. If it's missing, verify your licensing includes Intune Suite add-on or equivalent for advanced scripting features.

02

Create Detection Script for Registry Key Existence

Before creating or modifying registry keys, you need a detection script that checks if the desired registry configuration exists. This script determines whether remediation is needed.

Create a new PowerShell file named detect-registry.ps1 with the following content:

# Detection script for Adobe Acrobat DC registry settings
# This checks if the required registry path and values exist

try {
    # Check if the registry path exists
    $registryPath = "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cIPM"
    
    if (Test-Path $registryPath) {
        # Check if specific registry values exist with correct settings
        $value1 = Get-ItemProperty -Path $registryPath -Name "bDontShowMsgWhenViewingDoc" -ErrorAction SilentlyContinue
        $value2 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown" -Name "bIsSCReducedModeEnforcedEx" -ErrorAction SilentlyContinue
        
        if ($value1.bDontShowMsgWhenViewingDoc -eq 0 -and $value2.bIsSCReducedModeEnforcedEx -eq 1) {
            Write-Output "Registry configuration is compliant"
            exit 0  # Compliant - no remediation needed
        }
    }
    
    Write-Output "Registry configuration needs remediation"
    exit 1  # Non-compliant - remediation required
}
catch {
    Write-Output "Error checking registry: $($_.Exception.Message)"
    exit 1  # Error - trigger remediation
}
Warning: Always test your detection scripts locally first. Incorrect exit codes (0 for compliant, 1 for non-compliant) will cause unexpected behavior in Intune.

Verification: Test the script locally by running powershell.exe -ExecutionPolicy Bypass -File detect-registry.ps1 and checking the exit code with echo $LASTEXITCODE.

03

Create Remediation Script for Registry Key Management

The remediation script creates or modifies registry keys when the detection script finds non-compliance. This script runs with elevated privileges to make the necessary changes.

Create remediate-registry.ps1 with the following content:

# Remediation script for Adobe Acrobat DC registry settings
# This creates the required registry keys and values

try {
    # Create the registry path if it doesn't exist
    $registryPath = "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cIPM"
    
    if (-not (Test-Path $registryPath)) {
        New-Item -Path $registryPath -Force | Out-Null
        Write-Output "Created registry path: $registryPath"
    }
    
    # Set the registry values
    New-ItemProperty -LiteralPath $registryPath -Name "bDontShowMsgWhenViewingDoc" -Value 0 -PropertyType DWord -Force | Out-Null
    Write-Output "Set bDontShowMsgWhenViewingDoc = 0"
    
    New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown" -Name "bIsSCReducedModeEnforcedEx" -Value 1 -PropertyType DWord -Force | Out-Null
    Write-Output "Set bIsSCReducedModeEnforcedEx = 1"
    
    Write-Output "Registry remediation completed successfully"
    exit 0  # Success
}
catch {
    Write-Output "Error during remediation: $($_.Exception.Message)"
    exit 1  # Failure
}

For HKCU registry keys, modify the script to use HKCU:\ paths instead:

# Example for HKCU registry modification
$registryPath = "HKCU:\SOFTWARE\MyCompany\Settings"
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -LiteralPath $registryPath -Name "UserPreference" -Value "Enabled" -PropertyType String -Force | Out-Null

Verification: Test the remediation script locally and verify the registry keys are created using regedit or Get-ItemProperty commands.

04

Deploy Registry Management via Proactive Remediations

Proactive Remediations is the recommended method for ongoing registry key management. This creates a monitoring and enforcement mechanism that runs on a schedule.

In the Intune admin center, navigate to Devices > Scripts and remediations > Platform scripts and click Create, then select Windows 10 and later.

Configure the following settings:

  • Name: "Adobe Acrobat DC Registry Configuration"
  • Description: "Manages Adobe Acrobat DC security settings via registry keys"

In the Script settings section:

  • Detection script file: Upload your detect-registry.ps1
  • Remediation script file: Upload your remediate-registry.ps1
  • Run this script using the logged on credentials: No (for HKLM keys)
  • Enforce script signature check: No
  • Run script in 64-bit PowerShell Host: Yes
Pro tip: For HKCU registry keys, set "Run this script using the logged on credentials" to Yes. This ensures the script runs in the user context and can access user-specific registry hives.

Configure the schedule:

  • Run frequency: Daily
  • Start time: 02:00 AM (outside business hours)

Verification: After creating the remediation, check the "Overview" tab to see deployment status and any initial results from targeted devices.

05

Assign Registry Management to Device Groups

Target your registry management to specific device groups to control which machines receive the configuration. This allows for phased rollouts and testing.

In your Proactive Remediation configuration, click on the Assignments tab. Configure the following:

Include groups:

  • Click Add group
  • Search for and select your target device group (e.g., "IT-Managed Workstations")
  • Set Assignment type to "Required"

Exclude groups: Add any groups that should be excluded from this policy (e.g., "Test Devices" during production deployment).

# PowerShell command to verify group membership (run on target device)
Get-WmiObject -Class Win32_ComputerSystem | Select-Object Name, Domain

# Check if device is Azure AD joined
dsregcmd /status | findstr "AzureAdJoined"

Click Review + create to finalize the assignment.

Warning: Always test registry changes on a small pilot group first. Registry modifications can affect application functionality and system stability.

Verification: Monitor the deployment in Devices > Scripts and remediations > Platform scripts. Select your script and review the "Device status" tab to see which devices have successfully applied the configuration.

06

Create Win32 Application for Install-Time Registry Configuration

For registry keys that need to be set during application installation, use the Win32 application method. This is ideal for software-specific registry settings.

First, download the Microsoft Win32 Content Prep Tool v1.11.4 from:

https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool/releases

Create a folder structure for your Win32 app:

mkdir C:\IntuneApps\RegistryConfig
cd C:\IntuneApps\RegistryConfig

Create an install.ps1 script:

# install.ps1 - Registry configuration during app deployment
Start-Transcript -Path "C:\Windows\Temp\RegistryConfig-Install.log"

try {
    # Create application-specific registry keys
    $appRegPath = "HKLM:\SOFTWARE\MyCompany\ApplicationSettings"
    New-Item -Path $appRegPath -Force | Out-Null
    
    # Set configuration values
    New-ItemProperty -Path $appRegPath -Name "ConfigVersion" -Value "2.1" -PropertyType String -Force
    New-ItemProperty -Path $appRegPath -Name "AutoUpdate" -Value 1 -PropertyType DWord -Force
    New-ItemProperty -Path $appRegPath -Name "TelemetryEnabled" -Value 0 -PropertyType DWord -Force
    
    Write-Output "Registry configuration completed successfully"
    exit 0
}
catch {
    Write-Error "Failed to configure registry: $($_.Exception.Message)"
    exit 1
}
finally {
    Stop-Transcript
}

Create the .intunewin package:

IntuneWinAppUtil.exe -c "C:\IntuneApps\RegistryConfig" -s "install.ps1" -o "C:\IntuneApps\Output"

Verification: Check that the .intunewin file was created successfully in the output directory before proceeding to upload it to Intune.

07

Deploy Win32 Application with Registry Configuration

Upload and configure your Win32 application in Intune to deploy registry settings alongside application installations.

In Intune admin center, navigate to Apps > Windows > Add and select Windows app (Win32).

Configure the app package information:

  • Select app package file: Upload your .intunewin file
  • Name: "Registry Configuration Package"
  • Description: "Configures application-specific registry settings"
  • Publisher: Your organization name

Set the program configuration:

  • Install command: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File install.ps1
  • Uninstall command: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Remove-Item 'HKLM:\SOFTWARE\MyCompany\ApplicationSettings' -Recurse -Force"
  • Install behavior: System
  • Device restart behavior: No specific action

Configure detection rules:

  • Rules format: Manually configure detection rules
  • Rule type: Registry
  • Key path: HKLM\SOFTWARE\MyCompany\ApplicationSettings
  • Value name: ConfigVersion
  • Detection method: String comparison
  • Operator: Equals
  • Value: 2.1

Verification: After deployment, check the "Device install status" to confirm successful installation and registry configuration on target devices.

08

Monitor Registry Configuration Compliance and Troubleshoot Issues

Establish monitoring and troubleshooting procedures to ensure your registry configurations are working correctly across your device fleet.

Monitor Proactive Remediations:

  1. Navigate to Devices > Scripts and remediations > Platform scripts
  2. Select your registry configuration script
  3. Review the Device status tab for compliance information

Create a custom compliance policy for additional monitoring:

# Custom compliance detection script
$registryPath = "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cIPM"
$complianceData = @{
    "RegistryPathExists" = (Test-Path $registryPath)
    "ConfigurationApplied" = $false
}

if ($complianceData.RegistryPathExists) {
    $value = Get-ItemProperty -Path $registryPath -Name "bDontShowMsgWhenViewingDoc" -ErrorAction SilentlyContinue
    $complianceData.ConfigurationApplied = ($value.bDontShowMsgWhenViewingDoc -eq 0)
}

# Output compliance data in JSON format
$complianceData | ConvertTo-Json

Common troubleshooting steps:

  • Script execution errors: Check device logs in C:\Windows\Temp for PowerShell transcripts
  • Permission issues: Verify script execution context (System vs User) matches registry hive requirements
  • Detection failures: Test detection scripts locally with powershell.exe -ExecutionPolicy Bypass -File detect-registry.ps1
Pro tip: Enable PowerShell script logging via Group Policy or Intune to capture detailed execution information for troubleshooting complex registry issues.

Verification: Run the following command on a managed device to verify registry settings:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cIPM" | Format-List

Frequently Asked Questions

Can Microsoft Intune directly edit Windows Registry keys like Group Policy Objects?+
No, Microsoft Intune cannot directly edit arbitrary Windows Registry keys like GPOs. The Registry CSP is deprecated, and Intune relies on PowerShell scripts through Proactive Remediations, Platform Scripts, or Win32 applications to modify registry settings. This requires creating detection and remediation scripts rather than using direct administrative templates.
What's the difference between HKLM and HKCU registry access in Intune scripts?+
HKLM (Local Machine) registry keys require scripts to run in System context and affect all users on the device. HKCU (Current User) registry keys require scripts to run in User context and only affect the logged-in user. You must configure the execution context correctly in Intune - System context for HKLM modifications and User context for HKCU modifications.
How do I troubleshoot failed registry modifications in Microsoft Intune?+
Check the device status in Intune admin center under Scripts and remediations for error messages. Review PowerShell execution logs in C:\Windows\Temp on target devices. Verify script exit codes (0 for success, 1 for failure) and test scripts locally with PowerShell -ExecutionPolicy Bypass. Common issues include incorrect execution context, permission problems, and malformed registry paths.
Which method should I use for ongoing registry enforcement in Intune?+
Use Proactive Remediations for ongoing registry enforcement as it provides continuous monitoring and automatic remediation on a schedule. Platform Scripts are better for one-time configurations, while Win32 applications work best for registry settings that need to be applied during software installation. Proactive Remediations most closely replicate GPO behavior with periodic refresh and enforcement.
Do I need special licensing for registry management features in Microsoft Intune?+
Yes, Proactive Remediations require Microsoft Intune Plan 1 or higher, plus the Intune Suite add-on for advanced scripting capabilities. Basic Platform Scripts are included with standard Intune licensing. Win32 application deployment is included with Intune Plan 1. Ensure your licensing supports the registry management method you plan to implement.
Tags
#intune#registry#powershell

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Upgrade to Windows Server 2025 Using Windows Update Without Data Loss
tutorial
Windows

How to Upgrade to Windows Server 2025 Using Windows Update Without Data Loss

Deep Dive
How to Remove Applications Using Microsoft Intune Admin Center
tutorial
Cloud Computing

How to Remove Applications Using Microsoft Intune Admin Center

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account