As an administrator, there are any number of reasons why you might need to push Windows registry keys to users’ devices. For example, I know of at least one organization that uses registry keys to prevent the installation of blacklisted applications. A more common use is to use registry settings to enforce a browser’s security settings.
One somewhat common method of adding Windows registry keys to an end user device is to create a .REG file. A .REG file is essentially just a file containing one or more registry entries. Opening such a file on a Windows computer causes those registry settings to be ingested and applied. While this technique does indeed work, using .REG files isn’t usually the best option for applying registry settings to end user devices.
One of the biggest problems with using .REG files is the lack of transparency into the file’s purpose. While it’s true that a .REG file is really just a text file that has been given a .REG extension. That means that you can open a .REG file using Notepad or any other text editor, and see exactly what registry settings exist within the file. You can see an example of this in Figure 1.
.REG files are really just text files and can be opened in Notepad.
Even so, some settings within the registry can be a bit cryptic. Unless you were the one who created a particular .REG file, it can be difficult to determine what the file’s true purpose is (although there are ways to find out). This is an important consideration since a malicious or poorly constructed .REG file has the potential to do significant damage.
Another issue with using .REG files is that they tend to be best suited for one-off situations. For example, an administrator might use a .REG file to add a collection of registry settings to a non-domain joined PC.
A better option for pushing Windows registry keys to end user devices is to do so via Group Policy. Obviously, this technique is only suitable for use on systems that are domain joined.
Pushing Windows Registry Keys Via Group Policy
To get started, the first thing that you will need to do is to make sure that you have the appropriate tools installed. If you are working from a Windows 10 PC, you will need to install the Remote Server Administration Tools. If you are working directly from the server console on a domain controller, then everything that you need is already installed. In any case, go ahead and open the Group Policy Management console.
Once the console opens, navigate through the console tree to Group Policy Management | Forest
Right click on the Default Domain Policy and choose the Edit command from the shortcut menu.
At this point, Windows will open the group policy for editing. Before you configure Group Policy to push a registry setting, however, you need to stop and consider whether the registry setting should be applied at the user level, the computer level or both.
If you need to apply a registry setting to the users the group policy applies to, navigate through the Group Policy Management Editor to User Configuration \ Preferences \ Windows Settings \ Registry. Now, right click on the Registry container and choose the New | Registry Item from the shortcut menu, as shown in Figure 3. When you do, Windows will display a dialog box that allows you to provide the details for your intended registry modification.
This is where user level registry settings can be added to Group Policy.
The process for creating computer-level registry settings is nearly identical. For this, you will need to navigate through the console tree to Computer Configuration \ Preferences \ Windows Settings \ Registry. Once again, right click on the Registry container, and select the New | Registry Item commands from the shortcut menu, as shown in Figure 4.
This is where computer-level registry settings can be added to Group Policy.
Finally, enter the details for the registry item that you wish to apply to the Windows computers on your network.