I am new to BigFix and I am trying create relevance and getting True eventhough the registry keys are not existing, Can anyone please help on this
(exists values “\*\SYSVOL” whose (it as string as lowercase = “RequireMutualAuthentication=1, RequireIntegrity=1”) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths” of native registry)
If the registry key doesn’t exist, the statement will return False by default. However, you mentioned that it’s returning True even when the registry key doesn’t exist, which suggests there might be a misunderstanding or an issue with how the relevance query is structured.
When comparing this value to mine, I notice two issues: the value itself is not the same because there is a missing slash \\*\SYSVOL, and the string RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0 of the value in my case has three items, so this will never match relevance. Let us break it down.
Let’s start from the beginning.
//1st validate if keys & value both exists or not
Q: exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" of native registry
A: True
T: 0.975 ms
Q: exists value "\\*\SYSVOL" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" of native registry
A: True
T: 0.864 ms
//Now, examine the value and its string to see if it contains or equals:
//If you are unsure if a string is static or dynamic, always use contains, or at least what you know should be present.
Q: exists value "\\*\SYSVOL" whose (it as string as lowercase contains "RequireMutualAuthentication=0, RequireIntegrity=0" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" of native registry
A: True
T: 0.712 ms
//If you are certain that this will always be the string, you can use equals to
Q: exists value "\\*\SYSVOL" whose (it as string as lowercase = "RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" of native registry
A: True
T: 0.528 ms
//Let's merge everything and have better error handling.
Q: if not windows of operating system then "N/A" else if not exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" of native registry then "Key Not Found" else if not exists value "\\*\SYSVOL" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" of native registry then "Value not found" else if exists value "\\*\SYSVOL" whose (it as string as lowercase = "RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" of native registry then "True" else "False"
A: True
T: 0.349 ms
I used to use the approach provided by @vk.khurava too as it provides a good level of visiblity of if the key or value is missing. It is worth noting that it does mean the property will consume a bit more DB space this way as its storing a string value for every endpoint.
Just to offer another method that is similar to the approach you had and if knowing whether the key or value existed or not isn’t of concern for your use case, you could use this approach.
Q: if (windows of operating system) then (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" whose (exists values "\\*\SYSVOL" whose (it as string as lowercase = "RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0" as lowercase) of it) of native registry ) else (nothing)
A: False
T: 0.399 ms
I: plural boolean
Also keep in mind there is the 32 bit and 64 bit registries.
I think in this case the registry is shared key as opposed to a redirected key so a change in HKLM\Software\Policies is also reflected in HKLM\Software\Wow6432Node\Policies