Using Intune powershell scripts fail to add registry values when they should not.

Question

I have a very simple powershell script that I setup to add a registry value for a chrome management token.

Script:
Set-ItemProperty -Path Registry::"HKLM\SOFTWARE\Policies\Google\Chrome" -Name "CloudManagementEnrollmentToken" -Value "********-****-****-****-************" -Force

When I run this script manually on system it works fine.

When Intune runs this on a system without the key already present it generates the following error telling me the path is not there instead of creating the entry:
"error from script =Set-ItemProperty : Cannot find path 'HKLM\SOFTWARE\Policies\Google\Chrome' because it does not exist.
At C:\Program Files (x86)\Microsoft Intune Management
Extension\Policies\Scripts\00000000-0000-0000-0000-000000000000_c4c07194-db96-4dfa-aa15-1c705a740608.ps1:2 char:1

• Set-ItemProperty -Path Registry::"HKLM\SOFTWARE\Policies\Google\Chrom ...
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• CategoryInfo : ObjectNotFound: (HKLM\SOFTWARE\Policies\Google\Chrome:String) [Set-ItemProperty], ItemNo
  tFoundException
• FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand"

However on a system that already has this key in place Intune successfully runs the script:
"cmd line for running powershell is -executionPolicy bypass -file "C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts\00000000-0000-0000-0000-000000000000_c4c07194-db96-4dfa-aa15-1c705a740608.ps1"
Powershell script is successfully executed."

I have even tried the following scripts to force it to check for the presence and then create the value if it is not present, but they fail when running them manually so I have not attempted to deploy with them.
2nd Script:

$registryPath = "HKLM\SOFTWARE\Policies\Google\Chrome\"
$Name = "CloudManagementEnrollmentToken"
$value = "********-****-****-****-************"

IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType SZ -Force | Out-Null} ELSE { New-ItemProperty -Path $registryPath -Name $name -Value $value
-PropertyType SZ -Force | Out-Null}

3rd Script:
$reg = Get-Itemproperty -Path "HKLM\SOFTWARE\Policies\Google\Chrome" -Name CloudManagementEnrollmentToken

if(-not($reg)){

New-Itemproperty -path "HKLM\SOFTWARE\Policies\Google\Chrome" -name "CloudManagementEnrollmentToken" -value "********-****-****-****-************" -PropertyType "SZ"
} else
{
Set-ItemProperty -path "HKLM\SOFTWARE\Policies\Google\Chrome" -name "CloudManagementEnrollmentToken" -value "********-****-****-****-************e" -PropertyType "SZ"

I am sure my 2nd and 3rd script attempts are just written poorly, but I don't understand why the first script does not work when deploying via Intune.

Any tips or suggestions would be appreciated.

Answer 1

Did you configure the script to run in the 64-bit PowerShell Host?

Answer 2

Our experiences matches what everyone else is doing. We are using a PowerShell script that ingests a JSON list of registry changes using (reg add/reg delete), it works fine in our MDT environment but fails when migrated to InTune. This is an issue with the InTune agent is executing in a 32Bit context so the HKLM\SOFTWARE\ keys are really being set in HKLM\SOFTWARE\WOW6432Node.

We had success executing powershell by using "%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file registry.ps1".

This forces the use of 64 bit Powershell.

Answer 3

@Scott Thanks for posting in our Q&A. From your description, I noticed that the first script you provided was failed to deploy with Intune. If there is any misunderstanding, please feel free to let us know.

For this issue, I have done some tests. Firstly I made this script run on my test pc, it generated the same error like this:

When I tried to create the key: 'HKLM\SOFTWARE\Policies\Google\Chrome' manually in Registry editor and run the script again, it can be worked fine.
In this situation, I also try to proceed to deploy this PowerShell script with Intune, it is working as well

Could you double check on one affected device to see if the registry key: 'HKLM\SOFTWARE\Policies\Google\Chrome' is exiting and then run the script manually on this affected device to see if it will get any error?

If it will get error, I think our issue can be that some devices with the above registry key can deployed successfully. But the devices without it can fail with error.

Hope the above information can help

Answer 4

@Scott @Jason Sandys

Same issue here and on a few other scripts
Now the script runs if you launch powershell as administrator, the problem is the users we are pushing out to are not admin

I would expect the script run as system but this does not seem to be the case (We are not running it as current user) and tried pushing to both a user and a machine group)

Answer 5

I had a similar problem
This setting fails via Intune powershell scripts:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Dell\UpdateService\Clients\CommandUpdate\Preferences\CFG" -Name "ShowSetupPopup" -Value 0 -Type Dword
From AgentExecutor.log: Set-ItemProperty : Cannot find path "HKLM:\SOFTWARE\Dell\UpdateService\Clients\CommandUpdate\Preferences\CFG" because it does not exist.

Running the line manually (as local admin) works.

Checking 'YES' for "Run script in 64 bit PowerShell Host" when deploying it through Intune, this cmdlet works.

(thanks to @Jason Sandys )