This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 73%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Recently I started diving down the path of using DSC to simplify and automate STIG enforcement for a few environments I work on that are non-domain/closed network clients. As soon as I started scripting up PS1 scripts to generate and create MOF templates, I quickly ran in to the realization that DSC is not applying any HKCU elements. After a few hours of googling around I stumbled upon old posts and questions from various forums and here, discussing how DSC is not designed to interact with HKCU.
I was just wondering if there's any work in the pipeline to allow for DSC to control and enforce HKCU elements? As anyone who works with STIG's, you quickly realize how many of the registry keys you have to touch live exclusively in HKCU. Or has anyone figured out any workarounds to force HKCU elements through DSC? With Powershell not liking LGPO, and DSC not playing with the HKCU hive, it really seems like Microsoft does not like non-domain/closed network environments.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 71%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
DSC can be used for HKCU, you just need to write a DSC resource to do it, meaning the default registry resource can't do what you need to do.
You could create a script-based DSC resource that performs the actions that you need to, which is basically enumerate users on the system, load their hive and make the changes you need to make. That sounds complicated, but taken one step at a time is doable.
MJ