IntuneManagement icon indicating copy to clipboard operation
IntuneManagement copied to clipboard

Published 20 hours ago verified publisher icon Micke-K

Registry policy error for HKLM\software\Microsoft key

Open Eirinn75 opened this issue 11 months ago • 3 comments

Hello, I was trying to test the reg policy feature in my environment by implementing the reg policy pictured in the screenshot. When I press save I get the error "The registry key is not supported" - Blocked by root key: Software\Microsoft

I've also tried to move part of the key path to the registry value "Key" field (7th field from the top) in different ways, like keeping only "Software" in the "Reg key" field and the rest in "Key". This doesn't trigger the error, but in any case the config profile, assigned to a device group, fails and returns 0x87D1FDE8 (remediation failed).

image

Eirinn75 avatar Jan 09 '25 07:01 Eirinn75

Hello,

I've seen it end up in remediation failed state. It still normally adds the reg value. I haven't looked at this in a few years so not sure if Microsoft has changed anything about it. One this that caused this was that it didn't download the admx file after it applied the policy which caused it from verify that the setting was set.

The initial blocked issue is a Windows restriction. Windows does not allow setting values to some registry paths. I thought it was Intune but a guy from Microsoft explained that it is actually a Windows restriction.

Cheers!

Micke-K avatar Jan 09 '25 11:01 Micke-K

Hi, unfortunately the value is not passed.

For reference, this is are the two rows in the OMA-URI settings:

Reg ADMX ingestion: OMA-URI ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/IntuneManagementReg/Policy/RegPolicy_b5bc0edc-3110-43c0-98b4-a643640160ac

String Value:

<policyDefinitions revision="1.0" schemaVersion="1.0">
  <categories>
    <category name="RegImport_b5bc0edc-3110-43c0-98b4-a643640160ac" />
  </categories>
  <policies>
    <policy name="ValueAllowed" class="Machine" displayName="$(string.ValueAllowed)" explainText="" presentation="$(presentation.ValueAllowed)" key="SOFTWARE\Microsoft\Windows\CurrentVersion" valueName="">
      <parentCategory ref="RegImport_b5bc0edc-3110-43c0-98b4-a643640160ac" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <text valueName="Value" id="Value_Id" key="CapabilityAccessManager\ConsentStore\location" />
      </elements>
    </policy>
  </policies>
</policyDefinitions>

While for the policy itself: Name: Set ValueAllowed OMA-URI: ./Device/Vendor/MSFT/Policy/Config/IntuneManagementReg~Policy~RegImport_b5bc0edc-3110-43c0-98b4-a643640160ac/ValueAllowed

String Value:

<enabled />

<data id="Value_Id" value="Allow"/>

eirinn1975 avatar Jan 10 '25 05:01 eirinn1975

For info: the issue might not be related to the tool itself. According to documentation that particular registry key cannot be altered this way: https://learn.microsoft.com/en-us/windows/client-management/win32-and-centennial-app-policy-configuration

eirinn1975 avatar Jan 10 '25 07:01 eirinn1975

Closing this as it is a Microsoft limitation to create OMA-URI policies to some registry paths

Micke-K avatar Sep 14 '25 01:09 Micke-K