Hello, I hope I am in the right place. I need help creating a restriction entry on a client PC.
I use the following call to use SCCM to adjust a value in the HKCU area of each user in the domain:
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key ‘HKCU:\Software\Microsoft\Some Key’ -Name ‘Some Name’ -Value %USERNAME%@somemail.de -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
So far so good, the entry is written, but the %USERNAME% is not resolved. It seems as if %USERNAME% is simply seen as text. However, instead of %USERNAME% I need the actual name or profile name of the logged in user in that place.
How do I do that?
Thank you in advance.
%USERNAME% is a CMD/Batch variable. PowerShell does not care about those.
You could replace %USERNAME% with $ENV:USERNAME like this:
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key ‘HKCU:\Software\Microsoft\Some Key’ -Name ‘Some Name’ -Value $($ENV:USERNAME)@somemail.de -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
But if you run PSADT as system, you might not get the USERNAME you expect…
Hello and thank you for the answer.
I have already tried it as follows:
-Value $ENV:USERNAME@somemail.de
and that was only recognized as text.
Thanks for the tip, I’ll try it with the brackets. I hope that works.
And what would the call be called if I wanted to delete the entry again?
RemoveRegistryKey -Key ‘HKCU\SOFTWARE\Microsoft\Example’ -Name ‘Some Name’ does not seem to work when called via SCCM. The entry is still there.
Unfortunately, I am a beginner when it comes to changing registry values that are in the HKCU area.
again, it’s probably the system’s HKCU you are running against.
PSADT has variables that may hold the username of the currently logged-on user.
If no user is logged-on, then you cannot do it at install time and will have to rely on something like ActiveSetup.
1.)
You probably mean a *.bat file, for example, that you can first save locally and then run. Like…
@echo off
REG ADD “HKCU\Software...." /v “some” /t “REG_SZ” /d “”%USERNAME%”@somemail.de" /f
If I call this via SCCM
start-prozess -FilePath ‘c:\Windows\System32\cms.exe’ -ArgumentList “/k”,“c:\Temp\REG_ADD.bat” -Wait
I get SYSTEM@somemail.de as a result. That doesn’t help me at the moment.
2.)
Since I can’t get any further, I’m trying to use powershel, but I have a question about understanding. According to the PSAppDeploymentToolkitAdminGuid there is a $envUserName variable. What is the difference between this and what you wrote to me that I should use?
Difference:
-Value $($ENV:USERNAME)@somemail.de
-Value $envUserName@somemail.de
Hello again, I noticed that the email address I need is already in another path.
My approach would now be to read the email from the registry and enter it somewhere else.
Read:
[scriptblock]$HKCURegistrySettings = {
$DATA = Get-RegistryKey -Key ‘HKCU:\Software\Microsoft\Some Key One’ -Name ‘Some Name’ -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings
and then…
Enter:
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key ‘HKCU:\Software\Microsoft\Some Key Two’ -Name ‘Some Name’ -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
Would that work?
Then I would save myself the effort of using a *.bat or interactive setup
Yes if:
- There is a user logged-in at install time (e.g. Not System/DefaultUser)
- The Email exists in the HKCU location.
You should Code and log for when these “stars” don’t align for your solution.
Hm, If I use it like this, the entry is empty. What am I doing wrong?
The rest of it (New-Shortcut, and first Registry Entry) works 
New-Shortcut -Path “$envCommonStartMenuPrograms\Startup\Outlook.lnk” -TargetPath “$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE” -IconLocation “$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE”
New-Shortcut -Path “$envCommonDesktop\Outlook.lnk” -TargetPath “$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE” -IconLocation “$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE”
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key 'HKCU\Software\Microsoft\Office\16.0\Outlook\Preferences' -Name 'EnableSingleLineRibbon' -Value 0 -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
– works till here
[scriptblock]$HKCURegistrySettings = {
$DATA = Get-RegistryKey -Key 'HKCU\Software\Microsoft\Office\16.0\Common\Identity' -Name 'ADUserName' -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
#Eintragen
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key 'HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity' -Name 'SignedOutADUser' -Value $DATA -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
I would log the contents of $DATA.
It might not be what you expect.
I’m surprised that these values get populated at install time of Office and not at first login time in Outlook.
This is not so surprising because our agency does not want colleagues to log in to Office 2024 LTSC and after the application has been made available, this should be prevented with the registry entry. The entry removes the option to log in. That is all we want to achieve with it.
The problem we have is that our server activities with SCCM and the script activities in the agency are managed by 2 different areas.
I provide the script and the colleagues from the server department only import it into SCCM.
It then works locally with admin rights but unfortunately not via SCCM.
For example, I have now found a way that works locally.
[scriptblock]
$USER = $ENV:USERNAME
$MAIL = "@somemail.de
$DATA = “$USER” + “$MAIL”
$HKCURegistrySettings = {
Set-RegistryKey -Key ‘HKCU:\Software\Microsoft\Some Key’ -Name ‘Some Name’ -Value $DATA -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
Output is as desired: MyUserID@somemail.de
When run via SCCM the content remains empty.
The question remains how can I log what is happening in SCCM?
The way I would be doing this:
-create a standalone PowerShell script that works as a regular user.
-Use PSADT to set ActiveSetup to trigger this PowerShell script at login time. (PSADT triggers it for the current user if they happen to be logged-in)
-If other users login on a box they’ve never been on, ActiveSetup will trigger the script for them.
Hello, for those who are interested. I was able to get by using a local batch file and a simple call via the Deploy-Application.ps1.
In the Deploy-Application.ps1:
..
## <Perform Installation tasks here>
##Verknüpfungen für jeweiligen Benutzer erstellen
#Autostart nach Benutzeranmeldung
New-Shortcut -Path "$envCommonStartMenuPrograms\Startup\Outlook.lnk" -TargetPath "$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE" -IconLocation "$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE"
#Desktopverknüpfung für alle User
New-Shortcut -Path "$envCommonDesktop\Outlook.lnk" -TargetPath "$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE" -IconLocation "$envProgramFilesX86\Microsoft Office\root\Office16\OUTLOOK.EXE"
#klassisches Menüband für Zugriff auf Laufmappe
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key 'HKCU\Software\Microsoft\Office\16.0\Outlook\Preferences' -Name 'EnableSingleLineRibbon' -Value 0 -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
#Unterdrücke Anmelde-Fenster beim ersten Start
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key 'HKCU\Software\Microsoft\Office\16.0\OneNote' -Name 'FirstBootStatus' -Value 0x02000202 -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
#Einstellung "für Kompatibilität optimieren" für Laufmappe
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key 'HKCU\Software\Microsoft\Office\16.0\Outlook\Options' -Name 'RenderForMonitorDpi' -Value 0 -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
#Einstellung Deaktivieren "Apps in Outlook" für Laufmappe
[scriptblock]$HKCURegistrySettings = {
Set-RegistryKey -Key 'HKCU\Software\Microsoft\Office\16.0\Outlook\Preferences' -Name 'EnableAppsInOutlook' -Value 0 -Type DWord -SID $UserProfile.SID
}
Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings
Execute-ProcessAsUser -Path "$dirfiles\REGADD.bat"
..
In the batch file:
…
@echo off
for /f "skip=1 delims=^>^ " %%a in ('query user') do if not "%%a" == "SYSTEM" REG ADD HKCU\Software\Microsoft\Office\16.0\Common\Identity /v SignedOutADUser /t REG_SZ /d %%a@somemail.de /f
query user>C:\Temp\query_user.txt&&echo.>C:\Temp\query_user.txt
for /f "delims=^>^ " %%a in ('query user') do echo "%%a">C:\Temp\query_user.txt
for /f "skip=1 delims=^>^ " %%a in ('query user') do echo %%a@lbv.nrw.de>C:\Temp\USERNAME.txt
set /p Build=<C:\Temp\USERNAME.txt
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity /v SignedOutADUser /t Reg_Sz /d %Build% /f
del C:\Temp\query_user.txt
del C:\Temp\USERNAME.txt
exit
This topic was automatically closed after 30 days. New replies are no longer allowed.
