Arbitrary Policy and general Registry keys via Intune policy

Rackliffe, Justin 0 Reputation points
2024-07-09T14:38:33.05+00:00

So trying to ween folks off of using GPO for all problems and a big use case has been setting registry keys in SOFTWARE\Policies and elsewhere. Importing a GPO feels heavy to me, but didn't know if there was a way to create a runbook approach for the past and future.

  • Policy CSP can effect Policies subkey, but it seems very situational. The URI seems to assume very specific handling and not "to edit HKLM/SW/Policies/Key/Value" use URI "./Vendor/MSFT/Policies/Key/Value" and craft your Value following this pattern".
  • Registry CSP seems to have been deprecated, but is there an alternative for arbitrary key/value?
  • Datatypes in Custom settings don't have a clean mapping to Registry Datatypes
    • "" in String value seems to be able to trigger different registry results that can handle an array, but how to prompt for a single REG_MULTI_SZ vs a Key of N REG_SZ values is missing.
    • What does datetime store as in the registry if that would be used?

There are tools like Remediations, GPO Import, and maybe the WMI Bridge that might work, but is there a way to deterministically look at a registry value in HKLM or HKCU and craft a Intune Custom Setting? That feels like the lightest and most reliable from an operations perspective so trying to see if I am missing something obvious.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,526 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 51,726 Reputation points Microsoft Vendor
    2024-07-10T02:50:59.41+00:00

    @Rackliffe, Justin, Thanks for posting in Q&A. For Intune policy, it uses OMA-URI to set or change device setting. When it reaches the client, the CSP reads them and configures the Windows platform accordingly. Typically, it does this by adding, reading, or changing registry values. For the OMA-URI, it is provided by windows. Intune just uses it.

    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/deploy-oma-uris-to-target-csp-via-intune

    Based on my researching, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only. CSPs and GPOs have a very different implementation. Some CSPs do leverage the registry to store their configuration data, e.g., the Policy CSP uses the PolicyManage registry key, and some ultimately also change registry values associated with the equivalent group policy values. Different CSPs have different implementations There is no public or comprehensive documentation describing the details of the mapping. For me, I will research with some key value of the OMA-URI in registry key to find out the registry key for the OMA-URI I configured. And you can contact windows support to see if they can provide the mapping for you.

    https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers

    For the datatype, it is not direct mapping. while OMA-URIs bridge the gap between Intune and the registry, handling custom settings often involves nuanced conversions. For the data time, it may use string or binary to set the value. This depends on the registry key it changes and its background design.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.