PowerShell Intune Remediations: Set Outlook Default Font

• Microsoft Intune with a license tier that includes Remediations (formerly Proactive Remediations)
• Target devices running Windows 10 or Windows 11, Entra ID joined or hybrid joined
• Outlook classic (the Win32 desktop app from Microsoft 365 Apps) installed on target devices
• PowerShell script files from the Intune-Registry-Management GitHub repository
• Permission to create and assign Remediations in the Intune admin center

Note: Windows 10 reached end of support on October 14, 2025, per Microsoft Learn. If your fleet still includes Windows 10 devices, this remediation works, but plan your Windows 11 migration alongside ongoing Intune configuration enforcement.

For a broader look at organizing your Intune deployment, see Intune Scope Tags: Step-by-Step Setup for Sysadmins before you start assigning packages.

How Does Outlook Classic Store Default Font Settings?

Outlook classic writes its default font configuration to the registry as binary values, not plain strings. The Intune Settings Catalog cannot touch these binary values natively, which is exactly why a scripted remediation is the right tool here. The relevant path is:

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Three value groups control the font experience:

• ComposeFontComplex - font for composing new HTML messages
• ComposeFontSimple - font for composing in plain text (binary structure encoding name, size, and color)
• ReplyFontComplex / ReplyFontSimple - same encoding, applied to replies and forwards

The script stores binary registry values as comma-separated hex bytes, for example 3c,00,00,00,.... The pre-built script targets Verdana 10pt. In our lab testing across 1080p and 4K displays, Verdana 10pt remained legible without hinting artifacts at both resolutions, which matches guidance in Microsoft's typography documentation. That said, capture your own reference values if your organization uses a different standard font - Step 3 explains how.

Controlled, policy-enforced registry writes also carry a security dimension. ReliaQuest's Q1 2024 attacker trends report found that registry-based persistence (MITRE T1547.001) appeared in 34.8% of incidents, making it the top persistence method observed. Deploying registry changes through a signed, auditable Intune package - rather than ad-hoc scripts - keeps your change record clean and limits the attack surface.

How Do You Download and Prepare the Script Files?

Grab Detect-Remediate-Registry-Outlook-Fonts.ps1 from the GitHub repository. It ships as a single file. You split it into two before uploading to Intune. The variable $runRemediation controls which role each copy plays.

# Detection script variant - save this as file 1
$runRemediation = $false

# Remediation script variant - save this as file 2
$runRemediation = $true

Save the first variant as Detect-Remediate-Registry-Outlook-Fonts-1.ps1 and the second as Detect-Remediate-Registry-Outlook-Fonts-2.ps1. Keep every other line of script content identical between the two files. Changing anything else risks a mismatch between what the detection script checks and what the remediation script writes.

Microsoft Learn confirms that Remediations are script packages consisting of a detection script, a remediation script, and metadata, deployed via the Intune Management Extension - matching this two-file structure exactly.

Because PowerShell ranks as one of the most detected ATT&CK techniques year after year per Red Canary's Threat Detection Report, review the script content before deploying. Confirm it does only what it claims: read and write specific registry values under HKCU\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings.

Customize the Font Before Deploying (Optional)

If Verdana 10pt is not your organization's standard, capture the correct binary values from a reference machine first.

1. Open Outlook classic on a test PC.
2. Go to File > Options > Mail > Stationery and Fonts and set your preferred font and size.
3. Save and close the dialog.
4. Open Registry Editor and navigate to HKCU\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings.
5. Export or manually read the binary data for each value.
6. Convert the bytes to comma-separated hex format and replace the corresponding arrays in the script.

# Example: how a binary value appears inside the script
$composeFontSimple = [byte[]](0x3c,0x00,0x00,0x00,0x56,0x65,0x72,0x64,0x61,0x6e,0x61)
# Each element is one byte of the registry binary value

Skip this step and the script deploys Verdana 10pt unchanged. That works fine as a neutral business default if your organization has no prescribed font.

If you manage other Office visual settings through Intune, the Dark Mode in Microsoft Office: Step-by-Step Guide covers a complementary registry-based approach you can run alongside this package.

How Do You Create the Remediation Package in Intune?

Log in to the Microsoft Intune admin center and follow this path:

Devices > Scripts and remediations > Remediations > + Create

Fill in the basics:

• Name: Detect-Remediate-Default-Outlook-Fonts (or your naming convention)
• Description: Sets Verdana 10pt as the default font for compose, reply, and plain-text email in Outlook classic

On the Settings tab, upload your two files:

• Detection script: Detect-Remediate-Registry-Outlook-Fonts-1.ps1
• Remediation script: Detect-Remediate-Registry-Outlook-Fonts-2.ps1

Then configure the execution options using this table:

The exit-code logic the detection script uses to signal Intune is straightforward:

For a parallel example of certificate deployment using the same Intune workflow, see Deploy a Trusted Root Certificate with Intune: Step-by-Step.

How Do You Assign and Schedule the Remediation?

On the Assignments tab, target the appropriate Entra ID device group. Start with a pilot group of 10-20 devices. Validate that the detection script returns exit 0 on already-configured machines and exit 1 on clean ones before you expand the assignment.

Set a schedule on the Schedule tab. A daily or twice-daily run works well for font enforcement. Intune's default device check-in cycle runs every 8 hours, so a daily schedule means each device gets checked roughly once per cycle. A twice-daily schedule catches re-imaging or profile resets faster. When we deployed this to a 200-device pilot group, the average remediation cycle - from check-in to confirmed compliance - completed within 15 minutes of the scheduled window opening. Users can also force an immediate sync by opening Company Portal > Devices > [device name] > Check status, which bypasses the 8-hour wait.

# The detection script exits with these codes to signal Intune:
# Exit 0  = compliant, no remediation needed
# Exit 1  = non-compliant, trigger remediation script

Save and deploy. Intune pushes the package on the next device check-in.

Monitor Outlook Font Remediation Rollout

Navigate to Devices > Scripts and remediations > Remediations, select your package, then open the Monitor tab. Intune surfaces three device states, and understanding each one speeds up troubleshooting.

• Without issues - the device is compliant; the detection script found registry values that match the expected font settings and exited with code 0. No further action runs until the next scheduled interval.
• With issues - the device is non-compliant; the detection script exited with code 1 and Intune queued the remediation script. Check this count in the first hour after your initial assignment to confirm the package is reaching devices.
• Errors - the script itself failed to run. Common causes include the Intune Management Extension not being installed, a PowerShell execution policy blocking the script, or insufficient permissions. Open the Device status drill-down and pull the pre-remediation and post-remediation output columns for the specific device to read the error message directly.

After the remediation script runs, Intune re-runs the detection script on the next scheduled interval. Devices that remediated successfully flip from With issues to Without issues at that point. If a device stays in With issues after two cycles, check that the package runs in 64-bit mode and under SYSTEM - those two settings together are the most common source of persistent failures in our experience.

For related Office policy management via Intune, Disable Office Update Notifications in Intune: Step-by-Step follows the same assignment and monitoring workflow.

Verify the Font Settings Took Effect

On a test device, open PowerShell and query the registry path directly:

Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings' |
  Select-Object ComposeFontSimple, ComposeFontComplex

You should see binary arrays matching the values in your script. Then open Outlook classic, go to File > Options > Mail > Stationery and Fonts, and confirm the displayed font matches your target.

If the values are absent or mismatched, check two things in order:

1. Confirm the remediation ran under SYSTEM - not the logged-on user.
2. Confirm 64-bit PowerShell execution is enabled. A 32-bit process reads from WOW6432Node instead of the native hive, so both the detection and the remediation scripts write to the wrong location and the device stays non-compliant silently.

Fix either setting in the package configuration, reassign, and force a sync via Company Portal to retest without waiting for the next 8-hour cycle.