Let’s learn how to Deploy Registry Fix using Intune Win32 app. I have already posted a fix for the new remote Code Execution Vulnerability in the MSHTML component using SCCM. It’s time to fix the CVE-2021-40444 issue using Intune registry fix method.
Microsoft provided a registry file to fix this vulnerability with the office application. There are other methods also to fix the vulnerability, like group policy. You can use the best option suited for your organization. But in this post, I’m going to cover Intune method for Azure AD joined Windows 10 PCs.
IntuneWin app installation is handled by a new agent called Intune Management Extension. This client agent is created by Intune team only for IntuneWin application deployments. You can also use a remediation script to deploy registry fixes using Intune. I will cover that later in a different post. I think Intune remediation script method is much better if you have appropriate licenses.
Create IntuneWin Package to Deploy Registry Fix
You need to create two files to deploy registry fix using Intune. The first file is the registry file itself. You will need to paste the following registry information to a notepad and save it as ActiveXFix.reg file.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
Now, it’s time to create a batch file to execute this registry fix on the Windows 10 Azure AD joined devices. It’s just a simple batch file to execute the ActiveXFix.reg file. You can paste the following batch file and save it as ActiveXFix.cmd.
MD C:\Windows\Temp\ActiveXFix Copy "%~dp0*.reg" C:\Windows\Temp\ActiveXFix /Y PUSHD C:\Windows\Temp\ActiveXFix regedit.exe /s ActiveXfix.reg @echo 1.0>C:\Windows\Temp\ActiveXFix\Ver1.0.txt Del C:\Windows\Temp\ActiveXFix\*.reg
Download the IntuneWinAppUtil.exe to covert the files created above into the IntuneWin package. This helps to deploy the registry fix to Windows 10 or 11 Azure AD joined PCs using Intune. Before proceeding further, create a folder structure to store the source files and package files.
- Create a Folder called Intune Source\ActiveX Reg Fix\Source.
- Create a folder called Intune Source\ActiveX Reg Fix\Package.
- Paste ActiveXFix.reg and ActiveXFix.cmd files into the above folder.
Now you need to create an IntuneWin package using the tool called IntuneWinAppUtil.exe. You need to paste the tool into the “Intune Source” folder that you created above.
- Run the IntuneWinAppUtil.exe tool from Command prompt
- Enter SOURCE path where you have stored the .reg and .cmd files.
- Please specify the source folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Source
- Please specify the setup file: ActiveXFix.cmd
- Please specify the output folder: C:\Users\digit\OneDrive\Work\Intune Source\ActiveX Reg Fix\Package
- Do you want to specify catalog folder (Y/N)?n
Now you have created the IntuneWin package “ActiveXFix.intunewin.intunewin” and it’s ready to deploy registry fix using Intune application deployment method.
Create Intune Win32 app for Registry Fix
You can now head to the MEM admin center portal to create Intune Win32 application to deploy the registry fix. It would help if you kept the ActiveXFix.cmd file information handy while creating the application.
- Login to endpoint.microsoft.com portal.
- Navigate to All Apps > Windows -> Click on +Add button to create Win32 app.
You now need to select the app type that you want to deploy. Select the Intune app type called Windows app (Win32) and then click on the Select button to start the app creation process.
You can now upload the file that you created in the above section IntuneWin package “ActiveXFix.intunewin” from the select app package file hyperlink.
You can click on OK button to continue.
You can now enter the name of the application and other details from the Application information page. Proceed to the Program page to enter the install command and uninstall command details.
- Install Command = ActiveXFix.cmd
- Uninstall Command = ActiveXFix.cmd
- Click on the NEXT button to continue.
NOTE! – The uninstall command is just a fake command just for my lab testing. But the recommendation is to go with the proper uninstall command. This is just an example of deploying a registry fix using Intune. Only for testing purposes.
You can now select the requirement page OS architecture and minimum OS from this page and click on the next button to continue.
- Operating System Architecture = 64-bit
- Minimum Operating System – Windows 10 1909
You can also go over the Detection Rules page and select Configure app specific rules used to detect the app’s presence. Select the option Manually configure detection rules to continue building detection logic for this application deployment.
Now you need to fill the Detection rule for this application:
- Rule Type -> File
- Path -> C:\Windows\Temp\ActiveXFix
- File or folder – Ver1.0.txt
- Detection Method -> File or Folder exists
- Associated with a 32-bit app on 64-bit clients -> NO
- Click OK and NEXT to continue.
You can go over the dependencies and supersedence, scope tags pages to continue. Those pages are not mandatory for this registry to fix Intune win32 application. On the assignment page, you need to assign this application to any Azure AD device group.
You can look into Intune Management Extension Deep Dive – Win32 App Deployment Troubleshooting Help Guide to get more details on how to troubleshoot if the registry fix via Win32 App deployment is not working for you.
Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…