I am setting up Winext.scr on our network. I setup a GPO to enable everything and it works except for setting ACL on two registry keys. (this is not part of the problem)
I thought I would instead deploy the screensaver as an application and use the toolkit to create and populate the registry entries needed for WinExt, but even though I have the correct entries setup the entries get set but the screen saver does not work.
My question is “Is there something related to security or something else that using a GPO to set the values vs a Powershell script would somehow be different?”
I can remove the GPO and run the SCCM Deployment and the same registry keys seem to get updated but the screen saver does not work .
When I use toolkit the Windows Screensaver options don;t show but the registry entries are there. When I use the script the Screensaver properties show in the screen saver page.
Hope this is enough info to spur some ideas.
Here is my script:
##===============================================
## INSTALLATION
##*===============================================
## <Perform Installation tasks here>
[string]$installPhase = 'Installation'
write-host Setting ACL Keys ...
$OSa = $ENV:PROCESSOR_ARCHITECTURE
$OSv = (Get-WmiObject -class Win32_OperatingSystem).Caption
if (($OSa -eq "x86"))
{
##Set registry ACL rights # Set 32 bit Key
$objWinExitAcl = $null
$objWinExitAcl = Get-Acl “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini”
$objAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule(“Authenticated Users”,”SetValue, CreateSubKey”,”ContainerInherit, ObjectInherit”,”None”,”Allow”)
$objWinExitAcl.AddAccessRule($objAccessRule)
Set-Acl “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini” $objWinExitAcl
}
else
{
##Set registry ACL rights # Set 64 bit Key
$objWinExitAcl = Get-Acl “HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini”
$objAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule(“Authenticated Users”,”SetValue, CreateSubKey”,”ContainerInherit, ObjectInherit”,”None”,”Allow”)
$objWinExitAcl.AddAccessRule($objAccessRule)
Set-Acl “HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini” $objWinExitAcl
}
write-host Copying all Content ...
if(($OSv -eq "Microsoft Windows 10 Enterprise"))
{
Copy-File -Path $dirFiles\control.ini -Recurse -Destination $Win10Control
}
else
{
Copy-File -Path $dirFiles\control.ini -Recurse -Destination $Win7Control
}
Copy-File -Path $dirFiles\winexit.* -Recurse -Destination $WinFiles
write-host Setting ScreeSaver Registry Key...
$regkeypath1 = "HKU\.DEFAULT\Control Panel\Desktop"
$regkeypath2 = "HKCU\Control Panel\Desktop"
$regkeypath3 = "HKLM\SOFTWARE\Policies\Microsoft\Windows\System"
$HKCURegistrySettings =
{
Set-RegistryKey -Key $regkeypath2 -Name "ScreenSaveActive" -Value 1 -type String -SID $UserProfile.SID
Set-RegistryKey -Key $regkeypath2 -Name "ScreenSaverIsSecure" -Value 1 -type String $UserProfile.SID
Set-RegistryKey -Key $regkeypath2 -Name "ScreenSaverIsSecure" -Value 1 -type String $UserProfile.SID
Set-RegistryKey -Key $regkeypath2 -Name "SCRNSAVE.EXE" -Value winexit.scr -type String $UserProfile.SID
Set-RegistryKey -Key $regkeypath2 -Name "ScreenSaveTimeout" -Value 3600 -type String $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
Set-RegistryKey -Key $regkeypath1 -Name "ScreenSaveActive" -Value 1 -type String
Set-RegistryKey -Key $regkeypath1 -Name "ScreenSaverIsSecure" -Value 1 -type String
Set-RegistryKey -Key $regkeypath1 -Name "SCRNSAVE.EXE" -Value winexit.scr -type String
Set-RegistryKey -Key $regkeypath1 -Name "SCRNSAVE.EXE" -Value winexit.scr -type String
#Set Standard Desktop -Logon Screen Saver Timeout Time – in seconds
Set-RegistryKey -Key $regkeypath1 -Name "ScreenSaveTimeout" -Value 3600 -type String
Set-RegistryKey -Key $regkeypath3 -Name "UserPolicyMode" -Value 1 -type DWord