Creating Custom Registry Value Checks for All Users

 

This custom check enables you to specify a registry value that should apply to all user accounts on a machine. In order for a machine to be in compliance with the check, all users must have the specified key value. It is considered a "best practice" for this type of check to look at the registry values associated with regular users who have logged onto the machine in the past. They have a profile that contains registry keys that can be found when logged in under the HKEY_CURRENT_USER hive. This type of check looks for such registry keys, but the keys are associated with each user, not just the current user.

 

Note: Custom Registry Value (HKCU - Via All Users) checks are not currently enforceable. Enforcement may be available in a future release of VMware vCenter Protect - Configuration Management. See Enforcement Overview for more information on enforcement.

  1. To create a new custom Registry Value (HKCU - Via All Users) check from scratch, from the Custom Check Wizard click Create New Custom Check.

The following dialog is displayed:

CustomCheckWizardOS.gif

  1. Select the desired operating system levels and then click Next.

The General Properties dialog is displayed.

CustomCheckHKCU.gif

  1. Type a unique name for the custom check and description.

  2. In the Type box select Registry Value (HKCU - Via All Users) and then click Next.

The Specific Properties dialog is displayed. For example:

CustomCheckWizardSpecificProperties.gif

  1. Use the available boxes to define the exact registry value for which you want to create a policy check.

The Root box contains only one option: ALL_USERS. This represents all users within the HKEY_USERS hive. The path, name, and type values you specify in the other three boxes must apply to all users defined within the HKEY_USERS hive.

For example, to represent the following registry item for all users  ...

RegEditAllUsersAnnotated.gif

 

... you would specify the following values within the dialog:

 

CustomCheckWizardPropertiesPopulatedAllUsers.gif

Hint: For tips on using the Windows Registry Editor program (regedit) to locate these values and easily populate the fields on this dialog, see Using Regedit.

  1. After defining the specific properties of the check, click Test Check.

This test is performed on the console registry and has two purposes. It validates that the check is properly defined by using the information provided to locate the check, and it displays the current registry value. If the test comes back unable to locate the registry value, it either means the check is not properly defined or it does not exist on the console (although it may on the target systems).

  1. Click Next.

The Operator and Value dialog is displayed.

CustomCheckWizardOperatorValue.gif

  1. Select an operator, type an expected value, and then click Next.

The Operator can be any of the following:

The Expected Value can be any alphanumeric value.

  1. Click Next.

The following dialog is displayed.

CustomCheckWizardFinish.gif

 

  1. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File.

For more information, see Exporting Custom Checks.

  1. Click Finish.

The custom check is displayed within the policy. For example:

CustomAllUsersCheckinPolicy.gif