Automatically populate a devices group based on a registry key on your Intune devices

In this post I will show you a way to populate a devices grooup based on registry key found on your Intune devices.

Context

You need to add devices that have a specific registry key in a specific Entra ID group.

The solution

The solution results in 2 steps:

- One Intune remediation script

- One Azure Automation runbook

The Intune remediation script

The remediation script checks if a registry key exists.

If yes, we will add a specific status output and exit code 0, as below:

write-output "Status OK"

EXIT 0

This will write Status OK in the column Pre-remediation detection output from the remediation script.

In the following example, we check the string UEFICA2023Status from the below registry key: 

HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

If UEFICA2023Status = "Updated" we will write an output "Status OK".

See below the detection script used for this example:

The Azure Automation runbook

The runbook gets results from the remediation script.

It will get devices for which column preRemediationDetectionScriptOutput have value "Status OK".

Then we add those devices to the target Entra ID group.

Get the scripts

Click on the below GitHub picture to get the sources.

You will find:

- Detection.ps1

- Runbook.ps1

Creating the Remediation script

1. Go to Devices

4. Go to Remediations

5. Click on Create script package

6. Type a name

7. Click on Next

8. Browse Detection.ps1

9. Click on Next

10. Select the group

11. Choose your schedule

12. Click on Apply

13. Click on Next

14. Click on Create

Creating automation account

Purpose: here we will create the automation account that will be used to run the script to send data.

1. Go to Azure

2. Go to Automation accounts

3. Click on Create

4. Type a name

5. Choose a Subscription, resource group and region

6. Go to the Advanced tab

7. Select System assigned

7. Click on Create

Adding group owner

Purpose: we want to add members in a target group meaning we need rights on this group.

For that we will add the managed identity as group owner.

We will proceed as below:

1. Open the Intune portal

2. Go to Groups

3. Go to your group

4. Go to Owner

5. Search your managed identity

6. Select it

Adding module

Purpose: here we need to add modules to authenticate to Graph and send  mail.

Use this part only if you want to send info by mail.

1. Go to your automation account

2. Click on Modules gallery

3. Import the following modules:

- Microsoft.Graph.Authentication

- Microsoft.Graph.Groups

Editing the script

Purpose: here we will modify the runbook script to adapt it to our needs regarding the mail notification.

We will proceed as below:

1. Edit the Runbook.ps1 script

2. Modify variables $Target_Group_ID and $Remediation_Script_ID

Creating the Runbook

Purpose: here we will create the script that run the KQL query remotely.

1. Click on Create a runbook

2. Type a name

3. In Runbook type, select PowerShell

4. Click on Create

5. Copy the Runbook.ps1

6. Click on Save

7. Click on Publish

8. Schedule the runbook as you want