New-CMRequirementRuleRegistryKeyPermissionValue

Create a requirement rule to verify registry key permissions.

Syntax

New-CMRequirementRuleRegistryKeyPermissionValue
   -ControlEntry <RegistryAccessControlEntry[]>
   [-Exclusive <Boolean>]
   [-InputObject] <IResultObject>
   [-DisableWildcardHandling]
   [-ForceWildcardHandling]
   [<CommonParameters>]

Description

Use this cmdlet to create a requirement rule on an application deployment type that verifies registry key permissions. It requires a custom global condition of data type Registry key.

Tip

For comparison, if you manually create this requirement rule in the Configuration Manager console, select the following options:

  • Category: Custom
  • Condition: Select a custom global condition of data type Registry key
  • Rule type: Value
  • Property: Permissions

After you use this cmdlet, then use one of the Add- or Set- cmdlets for deployment types. Pass this requirement rule object to either the AddRequirement or RemoveRequirement parameters.

For more information, see Deployment type Requirements and Create global conditions.

Note

Run Configuration Manager cmdlets from the Configuration Manager site drive, for example PS XYZ:\>. For more information, see getting started.

Examples

Example 1: Add a requirement rule for registry key permissions

This example first uses the Get-CMGlobalCondition cmdlet to get a custom global condition. Then it uses the New-CMRegistryAccessControlEntry cmdlet to create two access control entries for specific users. Next it creates the requirement rule object to check that the registry key has the permissions specified in the access control entries. Finally it passes that rule object to the Set-CMScriptDeploymentType cmdlet to add the requirement.

$myGC = Get-CMGlobalCondition -Name "LOB app registry key"

$userName = "contoso\jqpublic"
$ce = New-CMRegistryAccessControlEntry -GroupOrUserName $userName -AccessOption Allow -Permission Read,Write

$userName2 = "contoso\jdoe"
$ce2 = New-CMRegistryAccessControlEntry -GroupOrUserName $userName2 -AccessOption Allow -Permission Read

$myRule = $myGC | New-CMRequirementRuleRegistryKeyPermissionValue -Exclusive $false -ControlEntry $ce,$ce2

Set-CMScriptDeploymentType -ApplicationName "Central app" -DeploymentTypeName "Install" -AddRequirement $myRule

Parameters

-ControlEntry

Specify an array of access control entry objects. An access control entry defines specific permissions for a specific user or group. To get this object, use the New-CMRegistryAccessControlEntry cmdlet.

Type:RegistryAccessControlEntry[]
Aliases:ControlEntries, RegistryAccessControlEntry, RegistryAccessControlEntries
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-DisableWildcardHandling

This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Exclusive

If this parameter is $true, for the rule to be compliant, it needs to exactly match the specified ACE exactly. Any other permissions on the registry key cause the rule to fail.

If set to $false, for the rule to be compliant, the specified ACE must exist, and other permissions can exist as well.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ForceWildcardHandling

This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Specify a custom global condition object to use as the basis for this requirement rule. To get this object, use the Get-CMGlobalCondition cmdlet.

To see the list of available Registry key global conditions at the site, use the following PowerShell command:

Get-CMGlobalCondition | Where-Object DataType -eq "RegistryKey" | Select-Object LocalizedDisplayName

Type:IResultObject
Aliases:GlobalCondition
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

Inputs

Microsoft.ConfigurationManagement.ManagementProvider.IResultObject

Outputs

System.Object