Hi, I’m struggling with creating an automatic computer group in BF Remediate using registry key values.
I am trying to group computers that have the registry key values I specify.
The two keys I’m targeting by are REG_SZ and REG_MULTI_SZ types.
Firstly, this is the syntax I’m trying to use for the multi-string key.
(if type of it = “REG_MULTI_SZ” then substrings separated by “%00” of preceding texts of lasts “%00%00” of (it as string) else (it as string)) of values “EnableMFAForUsers” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TecMFA” of native registry
In testing with QnA, this returns the two values of the reg_multi_sz: “domain_user” and “domain_admin”
The second key I’m trying to target for the same computer group is in the same location “HKEY_LOCAL_MACHINE\SOFTWARE\TecMFA”. The name of this reg_sz key is ‘URL’ and the data is “https://website.com”
Instead of returning the values for these keys (domain_admin, domain_user and https://website.com), I’d like to treat it like a true/false statement where computers will only join this group if the values for these key are what I’ve specified.
Any help with creating the relevance for this custom computer group would be greatly appreciated.
Thanks,
Jon
The common form for this is
exists (“thing”) whose (it = “value I want”)
In your case, the AND/OR logic is going to depend on what you want. Should a computer only join the computer group if all three conditions are true? Or either of the EnableMFAForUsers entries, AND the URL value?
Since you already have the relevance, I’d reuse it as
exists ( (if type of it = "REG_MULTI_SZ" then substrings separated by "%00" of preceding texts of lasts "%00%00" of (it as string) else (it as string)) of values "EnableMFAForUsers" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\TecMFA" of native registry) whose (it="domain_user") AND exists ((if type of it = "REG_MULTI_SZ" then substrings separated by "%00" of preceding texts of lasts "%00%00" of (it as string) else (it as string)) of values "EnableMFAForUsers" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\TecMFA" of native registry) whose (it="domain_admin") AND ( exists (values "URL" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\TecMFA" of native registry as string) whose (it="https://website.com") )
1 Like
Thanks Jason, I’ll give that a shot and report back!
Jason, this seems to work great! I’m assuming what you have posted is for all facts being true (both domain_user and domain_admin for EnableMFAForUsers, and the URL with the website exists) If not, where would I change the syntax to make it all true? Thanks!
You can change the AND to OR, and you can group the terms with parentheses.