Deploy Registry Fix using Intune Win32 App

Let’s learn how to Deploy Registry Fix using Intune Win32 app. I have already posted a fix for the new remote Code Execution Vulnerability in the MSHTML component using SCCM. It’s time to fix the CVE-2021-40444 issue using Intune registry fix method.

Microsoft provided a registry file to fix this vulnerability with the office application. There are other methods also to fix the vulnerability, like group policy. You can use the best option suited for your organization. But in this post, I’m going to cover Intune method for Azure AD joined Windows 10 PCs.

IntuneWin app installation is handled by a new agent called Intune Management Extension. This client agent is created by Intune team only for IntuneWin application deployments. You can also use a remediation script to deploy registry fixes using Intune. I will cover that later in a different post. I think Intune remediation script method is much better if you have appropriate licenses.

Create IntuneWin Package to Deploy Registry Fix

You need to create two files to deploy registry fix using Intune. The first file is the registry file itself. You will need to paste the following registry information to a notepad and same it as ActiveXFix.reg file.

Patch My PC
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

Now, it’s time to create a batch file to execute this registry fix on the Windows 10 Azure AD joined devices. It’s just a simple batch file to execute the ActiveXFix.reg file. You can paste the following batch file and save it as ActiveXFix.cmd.

MD C:\Windows\Temp\ActiveXFix
Copy "%~dp0*.reg" C:\Windows\Temp\ActiveXFix /Y
PUSHD C:\Windows\Temp\ActiveXFix
regedit.exe /s ActiveXfix.reg
@echo 1.0>C:\Windows\Temp\ActiveXFix\Ver1.0.txt
Del C:\Windows\Temp\ActiveXFix\*.reg

Download the IntuneWinAppUtil.exe to covert the files created above into the IntuneWin package. This helps to deploy the registry fix to Windows 10 or 11 Azure AD joined PCs using Intune. Before proceeding further, create a folder structure to store the source files and package files.

  • Create a Folder called Intune Source\ActiveX Reg Fix\Source.
  • Create a folder called Intune Source\ActiveX Reg Fix\Package.
  • Paste ActiveXFix.reg and ActiveXFix.cmd files into the above folder.
Deploy Registry Fix using Intune Win32 App 1
Deploy Registry Fix using Intune

Now you need to create an IntuneWin package using the tool called IntuneWinAppUtil.exe. You need to paste the tool into the “Intune Source” folder that you created above.

1E Nomad
  • Run the IntuneWinAppUtil.exe tool from Command prompt
  • Enter SOURCE path where you have stored the .reg and .cmd files.
    • Please specify the source folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Source
    • Please specify the setup file: ActiveXFix.cmd
    • Please specify the output folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Package
    • Do you want to specify catalog folder (Y/N)?n

Now you have created the IntuneWin package ActiveXFix.intunewin.intunewin” and it’s ready to deploy registry fix using Intune application deployment method.

Deploy Registry Fix using Intune Win32 App
Deploy Registry Fix using Intune Win32 App

Create Intune Win32 app for Registry Fix

You can now head to the MEM admin center portal to create Intune Win32 application to deploy the registry fix. It would help if you kept the ActiveXFix.cmd file information handy while creating the application.

  • Login to endpoint.microsoft.com portal.
  • Navigate to All Apps > Windows -> Click on +Add button to create Win32 app.
Create Intune Win32 app for Registry Fix
Create Intune Win32 app for Registry Fix

You now need to select the app type that you want to deploy. Select the Intune app type called Windows app (Win32) and then click on the Select button to start the app creation process.

Deploy Registry Fix using Intune Win32 App 2
Deploy Registry Fix using Intune Win32 App 8
  • You can now upload the file that you created in the above section IntuneWin package ActiveXFix.intunewin.intunewin” from the select app package file hyperlink.
  • You can click on OK button to continue.
Deploy Registry Fix using Intune Win32 App 3
Deploy Registry Fix using Intune Win32 App 9

You can now enter the name of the application and other details from the Application information page. Proceed to the Program page to enter the install command and uninstall command details.

  • Install Command = ActiveXFix.cmd
  • Uninstall Command = ActiveXFix.cmd
  • Click on the NEXT button to continue.

NOTE! – The uninstall command is just a fake command just for my lab testing. But the recommendation is to go with the proper uninstall command. This is just an example of deploying a registry fix using Intune. Only for testing purposes.

Create Intune Win32 app for Registry Fix
Create Intune Win32 app for Registry Fix

You can now select the requirement page OS architecture and minimum OS from this page and click on the next button to continue.

  • Operating System Architecture = 64-bit
  • Minimum Operating System – Windows 10 1909

You can also go over the Detection Rules page and select Configure app specific rules used to detect the app’s presence. Select the option Manually configure detection rules to continue building detection logic for this application deployment.

Now you need to fill the Detection rule for this application:

  • Rule Type -> File
  • Path -> C:\Windows\Temp\ActiveXFix
  • File or folder – Ver1.0.txt
  • Detection Method -> File or Folder exists
  • Associated with a 32-bit app on 64-bit clients -> NO
  • Click OK and NEXT to continue.
Create Intune Win32 app for Registry Fix
Create Intune Win32 app for Registry Fix

You can go over the dependencies and supersedence, scope tags pages to continue. Those pages are not mandatory for this registry to fix Intune win32 application. On the assignment page, you need to assign this application to any Azure AD device group.

Author

About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.

2 thoughts on “Deploy Registry Fix using Intune Win32 App”

  1. In your CMD file you ran: regedit.exe /s ActiveX.reg
    I had to change that to the name of the reg file created: ActiveXFix.reg
    This worked for me after updating: regedit.exe /s ActiveXFix.reg

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.