Registry Key Check
Automatically adjust Trust Levels and enforce security policies based on whether specific registry keys match their defined values on Windows devices
- Updated on May 21, 2024
- Registry Key Check Overview
- Registry Key Overview
- Matching Value Syntax
- Recommended approach to determining a registry key value
- How to add a registry key to the Registry Key Check Trust Factor
- How to edit or delete a registry key from the Registry Key Check Factor
Registry Key Check Overview
Security policies often require that devices match certain configurations. One method of checking configurations is to evaluate a registry key’s value pairs. Using the Registry Key Check Trust Factor, admins can establish a list of keys with corresponding values required on devices in their organization. This Trust Factor supports Windows devices only.
Registry Key Overview
Adding a registry key to the Registry Key Check Trust Factor requires that admins enter the registry key’s location (i.e., the file path). The registry key path refers to the absolute path. A registry key must contain a key and a value associated with that key.
Matching Value Syntax
Registry Key Value Type | REG Query Response Format |
---|---|
REG_BINARY | String requires all uppercase letters |
REG_DWORD | Hexadecimal starting with 0x (e.g., 0xabcdef0123456789 ) |
REG_QWORD | Hexadecimal starting with 0x (e.g., 0xabcdef0123456789 ) |
REG_EXPAND_SZ | String (no change) |
REG_MULTI_SZ | String \0 separated (e.g., login.live.com\0login.microsoft.com\0login.microsoftonline.com ) |
REG_SZ | String (no change) |
Recommended approach to determining a registry key value
The highlighted inputs below (in orange font
) are what admins would enter as values when configuring a registry key for the Registry Key Check Trust Factor.
Obtaining a REG_QWORD
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” /v InstallTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
InstallTime REG_QWORD 0x1d8ea1fe663f985
Obtaining a REG_BINARY
reg query “HKLM\SYSTEM\Software\Microsoft\TIP\AggregateResults” /v timestamp
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults
timestamp REG_BINARY C0AB006400000000
Obtaining a REG_MULTI_SZ
reg query “HKLM\SOFTWARE\Microsoft\Windows\TenantRestrictions\TenantRestrictionsList” /v Hostnames
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\TenantRestrictions\TenantRestrictionsList
Hostnames REG_MULTI_SZ login.live.com\0login.microsoft.com\0login.microsoftonline.com\0login.windows.net\0login.microsoftonline.us\0login.microsoftonline.de\0login.chinacloudapi.cn
How to add a registry key to the Registry Key Check Trust Factor
1. In the Command Center, navigate from Trust > Profiles. Then, select the Registry Key Check Trust Factor on an existing Trust Profile, and select + Add Registry Key.
2. Enter a registry key name.
3. Enter a file path. The file path can be set relative to the root.
4. Enter a key and a corresponding value.
5. Select Save.
How to edit or delete a registry key from the Registry Key Check Factor
1. Navigate to an existing Trust Profile and then to its Trust Factors tab.
2. To delete a selected registry key, locate the Registry Key Check factor, hover over the selected property list name, and select the x.
3. To edit a selected registry key, locate the Registry Key Check factor, hover over the selected property list name, and select the name. This will allow you to modify the registry key name, the file path, the key, and/or the value.