Deploy Registry Fix using Intune Win32 App

Let’s learn how to Deploy Registry Fix using Intune Win32 app. I have already posted a fix for the new remote Code Execution Vulnerability in the MSHTML component using SCCM. It’s time to fix the CVE-2021-40444 issue using Intune registry fix method.

Microsoft provided a registry file to fix this vulnerability with the office application. There are other methods also to fix the vulnerability, like group policy. You can use the best option suited for your organization. But in this post, I’m going to cover Intune method for Azure AD joined Windows 10 PCs.

IntuneWin app installation is handled by a new agent called Intune Management Extension. This client agent is created by Intune team only for IntuneWin application deployments. You can also use a remediation script to deploy registry fixes using Intune. I will cover that later in a different post. I think Intune remediation script method is much better if you have appropriate licenses.

Create IntuneWin Package to Deploy Registry Fix

You need to create two files to deploy registry fix using Intune. The first file is the registry file itself. You will need to paste the following registry information to a notepad and save it as ActiveXFix.reg file.

Patch My PC
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

Now, it’s time to create a batch file to execute this registry fix on the Windows 10 Azure AD joined devices. It’s just a simple batch file to execute the ActiveXFix.reg file. You can paste the following batch file and save it as ActiveXFix.cmd.

MD C:\Windows\Temp\ActiveXFix
Copy "%~dp0*.reg" C:\Windows\Temp\ActiveXFix /Y
PUSHD C:\Windows\Temp\ActiveXFix
regedit.exe /s ActiveXfix.reg
@echo 1.0>C:\Windows\Temp\ActiveXFix\Ver1.0.txt
Del C:\Windows\Temp\ActiveXFix\*.reg

Download the IntuneWinAppUtil.exe to covert the files created above into the IntuneWin package. This helps to deploy the registry fix to Windows 10 or 11 Azure AD joined PCs using Intune. Before proceeding further, create a folder structure to store the source files and package files.

  • Create a Folder called Intune Source\ActiveX Reg Fix\Source.
  • Create a folder called Intune Source\ActiveX Reg Fix\Package.
  • Paste ActiveXFix.reg and ActiveXFix.cmd files into the above folder.
Deploy Registry Fix using Intune Win32 App 1
Deploy Registry Fix using Intune

Now you need to create an IntuneWin package using the tool called IntuneWinAppUtil.exe. You need to paste the tool into the “Intune Source” folder that you created above.

  • Run the IntuneWinAppUtil.exe tool from Command prompt
  • Enter SOURCE path where you have stored the .reg and .cmd files.
    • Please specify the source folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Source
    • Please specify the setup file: ActiveXFix.cmd
    • Please specify the output folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Package
    • Do you want to specify catalog folder (Y/N)?n

Now you have created the IntuneWin package ActiveXFix.intunewin.intunewin” and it’s ready to deploy registry fix using Intune application deployment method.

Adaptiva
Deploy Registry Fix using Intune Win32 App
Deploy Registry Fix using Intune Win32 App

Create Intune Win32 app for Registry Fix

You can now head to the MEM admin center portal to create Intune Win32 application to deploy the registry fix. It would help if you kept the ActiveXFix.cmd file information handy while creating the application.

  • Login to endpoint.microsoft.com portal.
  • Navigate to All Apps > Windows -> Click on +Add button to create Win32 app.
Create Intune Win32 app for Registry Fix
Create Intune Win32 app for Registry Fix

You now need to select the app type that you want to deploy. Select the Intune app type called Windows app (Win32) and then click on the Select button to start the app creation process.

Deploy Registry Fix using Intune Win32 App 2
Deploy Registry Fix using Intune Win32 App 8

You can now upload the file that you created in the above section IntuneWin package ActiveXFix.intunewin” from the select app package file hyperlink.

You can click on OK button to continue.

Deploy Registry Fix using Intune Win32 App 3
Deploy Registry Fix using Intune Win32 App 9

You can now enter the name of the application and other details from the Application information page. Proceed to the Program page to enter the install command and uninstall command details.

  • Install Command = ActiveXFix.cmd
  • Uninstall Command = ActiveXFix.cmd
  • Click on the NEXT button to continue.

NOTE! – The uninstall command is just a fake command just for my lab testing. But the recommendation is to go with the proper uninstall command. This is just an example of deploying a registry fix using Intune. Only for testing purposes.

Create Intune Win32 app for Registry Fix
Create Intune Win32 app for Registry Fix

You can now select the requirement page OS architecture and minimum OS from this page and click on the next button to continue.

  • Operating System Architecture = 64-bit
  • Minimum Operating System – Windows 10 1909

You can also go over the Detection Rules page and select Configure app specific rules used to detect the app’s presence. Select the option Manually configure detection rules to continue building detection logic for this application deployment.

Now you need to fill the Detection rule for this application:

  • Rule Type -> File
  • Path -> C:\Windows\Temp\ActiveXFix
  • File or folder – Ver1.0.txt
  • Detection Method -> File or Folder exists
  • Associated with a 32-bit app on 64-bit clients -> NO
  • Click OK and NEXT to continue.
Create Intune Win32 app for Registry Fix
Create Intune Win32 app for Registry Fix

You can go over the dependencies and supersedence, scope tags pages to continue. Those pages are not mandatory for this registry to fix Intune win32 application. On the assignment page, you need to assign this application to any Azure AD device group.

You can look into Intune Management Extension Deep Dive – Win32 App Deployment Troubleshooting Help Guide to get more details on how to troubleshoot if the registry fix via Win32 App deployment is not working for you.

Author

29 thoughts on “Deploy Registry Fix using Intune Win32 App”

  1. In your CMD file you ran: regedit.exe /s ActiveX.reg
    I had to change that to the name of the reg file created: ActiveXFix.reg
    This worked for me after updating: regedit.exe /s ActiveXFix.reg

    Reply
  2. Hey, this is a great Registry Fix using Intune, Thanks!

    I thought as Microsoft don’t make it easy to set a default font for all users in the Outlook desktop app, I could export the correct font from my device and use this method to roll out the registry font settings to the rest of my organisation. I used the [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings] registry keys, deployed the changes and got the message to say it was successful but the default font hasn’t changed on the devices. Do you know why it hasn’t worked? Thanks Jason

    Reply
  3. Ah yes that does make sense, thanks for explaining. I did try to use HKLM but there are no Outlook default mail settings in there. I have been looking at PS scripts to achieve this but so far without success, do you know of any articles that would help me achieve this?

    Reply
  4. Hello Anoop

    I have tried your method and i am i am struggling with getting to run the batch file as local administrator through intune.

    Logged in user on the devices does not have admin privilege. Is there any why i can modify/add something to intune install command to run the file as admin.

    Install behaviour is also already set to system context.

    thanks

    Reply
  5. Hello “anoopcnair”
    Thank you for this very well constructed article.
    I have a question regarding adding powershell script instead of registry keys. Is it possible to use the same method?
    If so, how can the “cmd” Script be built?

    If my powxershell script is called “SupTeamsFam.ps1”, would the “cdm” look like this, especially the line Copy “%~dp0*.ps1”?

    MD C:\Windows\Temp\ActiveXFix
    Copy “%~dp0*.ps1” C:\Windows\Temp\SupTeamsFam /Y
    PUSHD C:\Windows\Temp\SupTeamsFam
    POWERSHELL.EXE /s SupTeamsFamps1
    @echo 1.0>C:\Windows\Temp\SupTeamsFam\Ver1.0.txt
    Del C:\Windows\Temp\SupTeamsFam\*.ps1

    Thank you again for your help.
    Gaetan

    Reply
  6. I’m a little confused why you would go through the trouble of creating a Win32 app to deploy a registry setting. Seems to me like this can be accomplished in a one-liner with PowerShell (or a four-liner with four registry keys).

    Reply
  7. Thanks Anoop – this worked for me as I need to deploy a setting in HKCU hive, however my one issue is that it flashes a cmd prompt box when it runs – is there any way to hide this so the users don’t see it? I have a global deployment to do and want to avoid SD calls… I have tried Proactive Remediation for HKCU and also Scripts via Intune, both give very low compliance numbers.

    Reply
  8. Has anybody figured out how to deploy a win32app that creates a reg Key and creates a custom value, seems like this doesn’t work because it needs elevated permissions and nothing happens

    Reply
  9. Hello Anoop. I am still getting a hang of device management, but i have this task I am looking for help with. I need to push this registry setting in Intune. How can I achieve that?

    1)$registryPath = “HKEY_CURRENT_USER\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment”
    $Name = “OnlineAppQuotaInKB”
    $value = “1048576”

    2) Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
    Name: AllowSampleCollection
    Type: DWORD
    Hexadecimal value :
    Value = 0 – block sample collection
    Value = 1 – allow sample collection

    I am looking to set value to 1 for all devices in my environment, using Intune.

    Many thanks

    Reply
  10. The guide doesn’t seem to work anymore.

    Prior to uploading, the .cmd works and creates the registry settings.

    After uploading and deployment, the c:\windows\temp folder gets created (so the detection rule shows as successful) but the registry keys are not created.

    I tried in 2 different tenancies because I thought I must be doing something wrong.

    Reply
  11. Thanks for the article. Just be wary that Storage Sense may delete the detection file in C:\Windows\Temp which will trigger on-going re-installs of the win32 app.

    Reply
  12. In reply to Jeremy Finney’s issue, using the batch file provided in the instructions above, the reg is imported and added under WOW6432Node node. Win32 app install scripts are executed in 32-bit context and for that reason the registry key is added under WOW6432Node.

    To import the registry key under the 64bit registry hive on x64 bit OS, use “reg import” command with /reg:64 switch of .e.g.

    reg.exe import TeamsCheck.reg /reg:64

    Skender

    Reply
  13. I have the same problem as one other user writing to registry. The cmd script writes just fine to registry with command regedit.exe /s and the reg file or reg import and the reg file. But when I place this to MEM, it doesn’t create those registry keys. I’m writing to HKEY_CLASSES_ROOT\CLSD by adding new key and subkeys. The same .reg file writes to the same reg hive but to \.pdf have and that succeedes and that value is there. But not the new key under \CLSID hive. Is there something specific to consider when writing to that part?

    Those asking to write setting under the current user, I have used Active setup for those. So you actually write to Local machine part but Microsoft Active setup handles the rest.

    Reply
  14. This article isn’t 100% accurate. My registry settings file would get downloaded with the win32 package but would not update the registry using the method outlined in this article. I had to use reg import /reg:64 to get the settings to import.

    reg import C:\someLocation\someRegKey.reg /reg:64

    Reply
  15. Hi Anoop,

    Can below registry be updated/implemented via Intune?

    Set the following registry value:
    HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\bDisableJavaScript
    To the following REG_DWORD value: 1

    I have this security recommendations for this.

    Reply
  16. Hi All,

    I have followed this guide but sadly a folder is being created in the temp folder that had ver.1.0 and the file contain 1.0. No regkeys created.

    BTW I’m trying to deploy FSlogix configs. any advise? Thanks

    Reply
  17. I tried this via Intune and it says its installed but it havent changed the regedit, I tried the script locally as a admin and that worked. Any ideas?

    Reply
  18. @Anoopcnair,

    This is very well constructed method of pushing registry keys through Intune.

    I am not an expert in this, and just started to use Intune only a year ago.

    However, I am trying to repro the same steps of pushing the registry keys for enabling Auto updates for Adobe Acrobat Reader but for some reason it does not work could you please let me know if you have done this in the past and is this going to work?

    Below are the steps I did follow.

    Note: for packaging I do use IntuneWinAppUtil.exe

    Registry file

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\Legacy\Acrobat\{AC76BA86-1033-FF00-7760-BC15014EA700}]
    “Check”=dword:00000001
    “Mode”=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown]
    “bUpdater”=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Reader\DC\FeaturedLockDown]
    “bUpdater”=dword:00000001

    The Command file.

    md c:\windows\temp\aau
    copy “%~dp0*.reg” c:\windows\temp\aau /y
    pushd c:\windows\temp\aau
    regedit.exe /s adobeau.reg
    @echo 1.0>c:\windows\temp\aau\ver1.0.txt
    del c:\windows\temp\aau\*.reg

    I need to understand how the batch file (cmd) file in my case works as all my files are in OneDrive and how will the registry key values copy/upload to Intune Blob Store when creating a Win32App package.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.