Skip to main content

TAMU Device Registry Tags deployment for Non-Intune and Intune-Managed Windows Devices

Purpose

This SOP outlines the procedure for deploying TAMU-specific registry tags to Windows devices. These tags support asset management and compliance tracking across both Intune-managed and non-Intune-managed endpoints.

Scope

This SOP applies to:

  • Non-Intune-managed Windows devices: Devices manually maintained or managed outside of Microsoft Intune.
  • Intune-managed Windows devices: Devices enrolled in Intune and eligible for Win32 app deployment.

Intent

Ensure consistent application of registry tags that include systemorg and unitcode for every managed endpoint. These values must be customized per distributed IT unit.

Essential Core Knowledge

  • Access to \\auth.tamu.edu\TAMU\ConfigMGR\SourceContent\SoftwareDistribution\TAMU\TAMU Custom\Set-TAMUDeviceRegistryTags.
  • Understanding of PowerShell execution policies.
  • Familiarity with creating Win32 apps in Microsoft Intune.
  • Ability to modify and test detection logic in PowerShell scripts.

Related Resources:

Procedure and Guidelines

Part 1: Non-Intune Devices

  1. Access Shared Folder:

    • Navigate to \\auth.tamu.edu\TAMU\ConfigMGR\SourceContent\SoftwareDistribution\TAMU\TAMU Custom\Set-TAMUDeviceRegistryTags.

  2. Copy PowerShell Scripts:

    • Set-RegistryTags.ps1
    • Detect-RegistryTags.ps1
    • Uninstall-RegistryTags.ps1

  3. Customize Detection Script:

    • Open Detect-RegistryTags.ps1.
    • Replace placeholder values with your unit-specific systemorg and unitcode. 
      $expectedSystemOrg = "YourCampusCode"   # e.g., TAMU or TAMUG
      $expectedUnitCode = "YourUnitFAMISCode"  # FAMIS code for your IT team
    • Optional future enhancement: add a deptcode registry key for the distributed unit's department FAMIS code.

  4. Deploy Script via Scheduled Task or GPO:

    • Use SCCM, Task Scheduler, GPO Startup Script, or other MDM to run Set-RegistryTags.ps1 as SYSTEM.
    • Confirm registry keys are created under: 
      HKLM:\SOFTWARE\TAMU\DeviceTags

  5. Validate:

    • Run Detect-RegistryTags.ps1 manually.
    • Exit code 0 confirms correct tagging; exit code 1 indicates mismatch or absence.

Part 2: Intune-Managed Devices

  1. Retrieve the Pre-Packaged .intunewin File:

    • From \\auth.tamu.edu\TAMU\ConfigMGR\SourceContent\SoftwareDistribution\TAMU\TAMU Custom\Set-TAMUDeviceRegistryTags, obtain the Set-RegistryTags.intunewin package.

  2. Create the Win32 App in Intune:

    • In the Intune Admin Center, go to Apps > Windows > Add.
    • Select App type: Windows app (Win32).
    • Upload the Set-RegistryTags.intunewin file.

  3. Configure App Info and Requirements:

    • Provide a clear name and description.
    • Example:
      • Name: TAMU-CLBA - Device Group Registration
      • Description: TAMU-CLBA - Device Group Registration
    • Set minimum OS (e.g., Windows 10 1607).

  4. Specify Install and Uninstall Commands:

    • Paste the following Install Command: 
      %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File .\Set-RegistryTags.ps1 -SystemOrg TAMU -UnitCode CLBA
    • Paste the following Uninstall Command: 
      %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File .\Uninstall-RegistryTags.ps1 -SystemOrg TAMU -UnitCode CLBA
    • Important: Replace TAMU and CLBA with your own SystemOrg (e.g., TAMUG) and UnitCode, which should match your Distributed Unit’s IT FAMIS code.

  5. Customize and Upload the Detection Script:

    • Edit Detect-RegistryTags.ps1 with appropriate systemorg and unitcode. 
      $expectedSystemOrg = "TAMU"
      $expectedUnitCode = "CLBA"
    • Save and upload this modified script in the Detection Rules section as a custom PowerShell detection script.
    • Reminder: Replace TAMU and CLBA in the detection script to reflect your own organization and unit’s FAMIS code.

  6. Scope Group Assignment:

    • Assign the application to a Policy Scope Group (PSG) that follows the TAMU scope group naming conventions outlined here: Scope Group Naming Guide.

    • This ensures correct device or user targeting and prevents unintended deployment to shared devices.

    • Use Intune > Monitor > App install status to validate installation success.

Additional Notes and References

  • College Of Veterinary Medicine updates Detect-RegistryTags.ps1 with: 
    $expectedSystemOrg = "TAMU"
    $expectedUnitCode = "CLVM"
  • GPO-based deployment used by IT units managing systems.
  • Intune app using: 
    %windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File .\Set-RegistryTags.ps1 -SystemOrg TAMU -UnitCode CLVM