Let’s learn how to Deploy Registry Fix using Intune Win32 app. I have already posted a fix for the new remote Code Execution Vulnerability in the MSHTML component using SCCM. It’s time to fix the CVE-2021-40444 issue using Intune registry fix method.
Microsoft provided a registry file to fix this vulnerability with the office application. There are other methods also to fix the vulnerability, like group policy. You can use the best option suited for your organization. But in this post, I’m going to cover Intune method for Azure AD joined Windows 10 PCs.
IntuneWin app installation is handled by a new agent called Intune Management Extension. This client agent is created by Intune team only for IntuneWin application deployments. You can also use a remediation script to deploy registry fixes using Intune. I will cover that later in a different post. I think Intune remediation script method is much better if you have appropriate licenses.
Create IntuneWin Package to Deploy Registry Fix
You need to create two files to deploy registry fix using Intune. The first file is the registry file itself. You will need to paste the following registry information to a notepad and save it as ActiveXFix.reg file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003Now, it’s time to create a batch file to execute this registry fix on the Windows 10 Azure AD joined devices. It’s just a simple batch file to execute the ActiveXFix.reg file. You can paste the following batch file and save it as ActiveXFix.cmd.
MD C:\Windows\Temp\ActiveXFix
Copy "%~dp0*.reg" C:\Windows\Temp\ActiveXFix /Y
PUSHD C:\Windows\Temp\ActiveXFix
regedit.exe /s ActiveXfix.reg
@echo 1.0>C:\Windows\Temp\ActiveXFix\Ver1.0.txt
Del C:\Windows\Temp\ActiveXFix\*.regDownload the IntuneWinAppUtil.exe to covert the files created above into the IntuneWin package. This helps to deploy the registry fix to Windows 10 or 11 Azure AD joined PCs using Intune. Before proceeding further, create a folder structure to store the source files and package files.
- Create a Folder called Intune Source\ActiveX Reg Fix\Source.
- Create a folder called Intune Source\ActiveX Reg Fix\Package.
- Paste ActiveXFix.reg and ActiveXFix.cmd files into the above folder.
Now you need to create an IntuneWin package using the tool called IntuneWinAppUtil.exe. You need to paste the tool into the “Intune Source” folder that you created above.
- Run the IntuneWinAppUtil.exe tool from Command prompt
- Enter SOURCE path where you have stored the .reg and .cmd files.
- Please specify the source folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Source
- Please specify the setup file: ActiveXFix.cmd
- Please specify the output folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Package
- Do you want to specify catalog folder (Y/N)?n
Now you have created the IntuneWin package “ActiveXFix.intunewin.intunewin” and it’s ready to deploy registry fix using Intune application deployment method.
Create Intune Win32 app for Registry Fix
You can now head to the MEM admin center portal to create Intune Win32 application to deploy the registry fix. It would help if you kept the ActiveXFix.cmd file information handy while creating the application.
- Login to endpoint.microsoft.com portal.
- Navigate to All Apps > Windows -> Click on +Add button to create Win32 app.
You now need to select the app type that you want to deploy. Select the Intune app type called Windows app (Win32) and then click on the Select button to start the app creation process.
You can now upload the file that you created in the above section IntuneWin package “ActiveXFix.intunewin” from the select app package file hyperlink.
You can click on OK button to continue.
You can now enter the name of the application and other details from the Application information page. Proceed to the Program page to enter the install command and uninstall command details.
- Install Command = ActiveXFix.cmd
- Uninstall Command = ActiveXFix.cmd
- Click on the NEXT button to continue.
NOTE! – The uninstall command is just a fake command just for my lab testing. But the recommendation is to go with the proper uninstall command. This is just an example of deploying a registry fix using Intune. Only for testing purposes.
You can now select the requirement page OS architecture and minimum OS from this page and click on the next button to continue.
- Operating System Architecture = 64-bit
- Minimum Operating System – Windows 10 1909
You can also go over the Detection Rules page and select Configure app specific rules used to detect the app’s presence. Select the option Manually configure detection rules to continue building detection logic for this application deployment.
Now you need to fill the Detection rule for this application:
- Rule Type -> File
- Path -> C:\Windows\Temp\ActiveXFix
- File or folder – Ver1.0.txt
- Detection Method -> File or Folder exists
- Associated with a 32-bit app on 64-bit clients -> NO
- Click OK and NEXT to continue.
You can go over the dependencies and supersedence, scope tags pages to continue. Those pages are not mandatory for this registry to fix Intune win32 application. On the assignment page, you need to assign this application to any Azure AD device group.
You can look into Intune Management Extension Deep Dive – Win32 App Deployment Troubleshooting Help Guide to get more details on how to troubleshoot if the registry fix via Win32 App deployment is not working for you.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…
Excellent guide… worked first time. Thanks!
this creates a .reg file but i dont see where it gets implemented.
i see the CMD file getting loaded but no the REG.
In your CMD file you ran: regedit.exe /s ActiveX.reg
I had to change that to the name of the reg file created: ActiveXFix.reg
This worked for me after updating: regedit.exe /s ActiveXFix.reg
Hey, this is a great Registry Fix using Intune, Thanks!
I thought as Microsoft don’t make it easy to set a default font for all users in the Outlook desktop app, I could export the correct font from my device and use this method to roll out the registry font settings to the rest of my organisation. I used the [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings] registry keys, deployed the changes and got the message to say it was successful but the default font hasn’t changed on the devices. Do you know why it hasn’t worked? Thanks Jason
I think this could be because of HKCU instead of HKLM. All these WIN32 apps run from system context and that might create some weird issues … there could be some PS script that can help you here to run from the user context …
Thanks Anoop, do you know what PS script I would need to run to make this work?
I’m not good at PS script so no clue about this. But I have seen folks using PS https://superuser.com/questions/1455093/how-to-run-powershell-script-as-current-user-from-elevated-context
I’m not sure thought whether this will fix the issue ..sorry…
Ah yes that does make sense, thanks for explaining. I did try to use HKLM but there are no Outlook default mail settings in there. I have been looking at PS scripts to achieve this but so far without success, do you know of any articles that would help me achieve this?
Hello Anoop
I have tried your method and i am i am struggling with getting to run the batch file as local administrator through intune.
Logged in user on the devices does not have admin privilege. Is there any why i can modify/add something to intune install command to run the file as admin.
Install behaviour is also already set to system context.
thanks
Hello “anoopcnair”
Thank you for this very well constructed article.
I have a question regarding adding powershell script instead of registry keys. Is it possible to use the same method?
If so, how can the “cmd” Script be built?
If my powxershell script is called “SupTeamsFam.ps1”, would the “cdm” look like this, especially the line Copy “%~dp0*.ps1”?
MD C:\Windows\Temp\ActiveXFix
Copy “%~dp0*.ps1” C:\Windows\Temp\SupTeamsFam /Y
PUSHD C:\Windows\Temp\SupTeamsFam
POWERSHELL.EXE /s SupTeamsFamps1
@echo 1.0>C:\Windows\Temp\SupTeamsFam\Ver1.0.txt
Del C:\Windows\Temp\SupTeamsFam\*.ps1
Thank you again for your help.
Gaetan
I’m a little confused why you would go through the trouble of creating a Win32 app to deploy a registry setting. Seems to me like this can be accomplished in a one-liner with PowerShell (or a four-liner with four registry keys).
Did you know the pain with normal PowerShell script deployment 🙂 Or do you already use proactive remediation? Do you have an additional license to use it?
https://www.anoopcnair.com/intune-proactive-remediation-scripts-powershell/
Thanks Anoop – this worked for me as I need to deploy a setting in HKCU hive, however my one issue is that it flashes a cmd prompt box when it runs – is there any way to hide this so the users don’t see it? I have a global deployment to do and want to avoid SD calls… I have tried Proactive Remediation for HKCU and also Scripts via Intune, both give very low compliance numbers.
/s should that normally
You can try any of the following as well.
reg import example.reg
reg /q example.reg
Has anybody figured out how to deploy a win32app that creates a reg Key and creates a custom value, seems like this doesn’t work because it needs elevated permissions and nothing happens
Hello Anoop. I am still getting a hang of device management, but i have this task I am looking for help with. I need to push this registry setting in Intune. How can I achieve that?
1)$registryPath = “HKEY_CURRENT_USER\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment”
$Name = “OnlineAppQuotaInKB”
$value = “1048576”
2) Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection
I am looking to set value to 1 for all devices in my environment, using Intune.
Many thanks
thanks for the install script! any chance to get the uninstall cmd as well?
The guide doesn’t seem to work anymore.
Prior to uploading, the .cmd works and creates the registry settings.
After uploading and deployment, the c:\windows\temp folder gets created (so the detection rule shows as successful) but the registry keys are not created.
I tried in 2 different tenancies because I thought I must be doing something wrong.
Well, you need to check the Intune logs as mentioned in the blog post and let us know what are the errors you see there?
Thanks for the article. Just be wary that Storage Sense may delete the detection file in C:\Windows\Temp which will trigger on-going re-installs of the win32 app.
In reply to Jeremy Finney’s issue, using the batch file provided in the instructions above, the reg is imported and added under WOW6432Node node. Win32 app install scripts are executed in 32-bit context and for that reason the registry key is added under WOW6432Node.
To import the registry key under the 64bit registry hive on x64 bit OS, use “reg import” command with /reg:64 switch of .e.g.
reg.exe import TeamsCheck.reg /reg:64
Skender
I have the same problem as one other user writing to registry. The cmd script writes just fine to registry with command regedit.exe /s and the reg file or reg import and the reg file. But when I place this to MEM, it doesn’t create those registry keys. I’m writing to HKEY_CLASSES_ROOT\CLSD by adding new key and subkeys. The same .reg file writes to the same reg hive but to \.pdf have and that succeedes and that value is there. But not the new key under \CLSID hive. Is there something specific to consider when writing to that part?
Those asking to write setting under the current user, I have used Active setup for those. So you actually write to Local machine part but Microsoft Active setup handles the rest.
This article isn’t 100% accurate. My registry settings file would get downloaded with the win32 package but would not update the registry using the method outlined in this article. I had to use reg import /reg:64 to get the settings to import.
reg import C:\someLocation\someRegKey.reg /reg:64
Hi Anoop,
Can below registry be updated/implemented via Intune?
Set the following registry value:
HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\bDisableJavaScript
To the following REG_DWORD value: 1
I have this security recommendations for this.
Hi Vinod,
Yes! It can be applied with PowerShell Script/Win32 App method Via Intune. You can also use Proactive remediation for the same.
Hi All,
I have followed this guide but sadly a folder is being created in the temp folder that had ver.1.0 and the file contain 1.0. No regkeys created.
BTW I’m trying to deploy FSlogix configs. any advise? Thanks
I tried this via Intune and it says its installed but it havent changed the regedit, I tried the script locally as a admin and that worked. Any ideas?
@Anoopcnair,
This is very well constructed method of pushing registry keys through Intune.
I am not an expert in this, and just started to use Intune only a year ago.
However, I am trying to repro the same steps of pushing the registry keys for enabling Auto updates for Adobe Acrobat Reader but for some reason it does not work could you please let me know if you have done this in the past and is this going to work?
Below are the steps I did follow.
Note: for packaging I do use IntuneWinAppUtil.exe
Registry file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\Legacy\Acrobat\{AC76BA86-1033-FF00-7760-BC15014EA700}]
“Check”=dword:00000001
“Mode”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown]
“bUpdater”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Reader\DC\FeaturedLockDown]
“bUpdater”=dword:00000001
The Command file.
md c:\windows\temp\aau
copy “%~dp0*.reg” c:\windows\temp\aau /y
pushd c:\windows\temp\aau
regedit.exe /s adobeau.reg
@echo 1.0>c:\windows\temp\aau\ver1.0.txt
del c:\windows\temp\aau\*.reg
I need to understand how the batch file (cmd) file in my case works as all my files are in OneDrive and how will the registry key values copy/upload to Intune Blob Store when creating a Win32App package.