Hi All, I’m currently working on deploying a few registry changes through BigFix to configure Office application settings (Access, Word, and Excel). Although the BigFix action completes successfully with an exit code of 0, the expected registry changes are not reflected.
Below are the registry entries I’m trying to apply:

// Set VBAWarnings and AccessVBOM for Access
regset “[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]” “VBAWarnings”=dword:00000002
regset “[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]” “AccessVBOM”=dword:00000001

// Set VBAWarnings and AccessVBOM for Word
regset “[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security]” “VBAWarnings”=dword:00000002
regset “[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security]” “AccessVBOM”=dword:00000001

// Set VBAWarnings and AccessVBOM for Excel
regset “[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security]” “VBAWarnings”=dword:00000003
regset “[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security]” “AccessVBOM”=dword:00000001

Could you please assist with the correct approach to apply these registry changes for the currently logged-in user via BigFix?

Looking forward to your guidance.
Thanks, in advance.

It’s probably executing as LocalSystem, not the logged-on user. Use runas=currentuser and it should work.

delete __createfile
createfile until EOF
reg add "HKCU\Software\Microsoft\Office\16.0\Access\Security" /v VBAWarnings /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Access\Security" /v AccessVBOM /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security" /v VBAWarnings /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security" /v AccessVBOM /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v VBAWarnings /t REG_DWORD /d 3 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v AccessVBOM /t REG_DWORD /d 1 /f
EOF

move __createfile "__Download\set_office.cmd"

override wait
runas=currentuser
wait cmd.exe /c "__Download\set_office.cmd"

Hi @vk.khurava thank you for your response.

I’ve tested the deployment using the same script, and while the action completes successfully with exit code 0, I’m still not seeing the expected changes in the registry under the logged-in user’s profile.

That’s strange! I tested this before sharing, and on my side all the registry entries were created successfully:

image733×112 8.49 KB

Could you try logging in with the same account and run the Fixlet Debugger directly, executing each of these snippets one by one to check which method works in your environment?

//Test 1
regset "[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]" "VBAWarnings"=dword:00000001
regset "[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]" "AccessVBOM"=dword:00000003


//test2
wait reg add "HKCU\Software\Microsoft\Office\16.0\Access\Security" /v VBAWarnings /t REG_DWORD /d 2 /f
wait reg add "HKCU\Software\Microsoft\Office\16.0\Access\Security" /v AccessVBOM /t REG_DWORD /d 1 /f


//Test3
if {x64 of operating system} 
regset64 "[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]" "VBAWarnings"=dword:00000001
regset64 "[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]" "AccessVBOM"=dword:00000003
else
regset "[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]" "VBAWarnings"=dword:00000001
regset "[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Access\Security]" "AccessVBOM"=dword:00000003
endif

Note: Before testing, comment out (add // in front) the other examples so you’re only running one test at a time, or simply copy/paste each block individually.

by the way, all of them working for me!

Here is a way to change it for all users, not just the user logged in.

see @mjohnson2469 comment.

Thank you @vk.khurava and @D.Dean for your suggestions. I appreciate your input. I tried the script as shown below, and it worked as expected.

Mount HKU if not already

if (-not (Get-PSDrive HKU -ErrorAction SilentlyContinue)) {
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
}

— Office VBA / Macro Security Settings —

$officePathsRel = @(
“Software\Microsoft\Office\16.0\Access\Security”,
“Software\Microsoft\Office\16.0\Word\Security”,
“Software\Microsoft\Office\16.0\Excel\Security”
)

$settings = @{
“Access\Security” = @{
“VBAWarnings” = 2
“AccessVBOM” = 1
}
“Word\Security” = @{
“VBAWarnings” = 2
“AccessVBOM” = 1
}
“Excel\Security” = @{
“VBAWarnings” = 3
“AccessVBOM” = 1
}
}

Loop through all loaded user profiles (excluding system SIDs)

$users = Get-ChildItem "HKU:" | Where-Object { $_.Name -match “S-1-5-21” }

foreach ($user in $users) {
# Apply Office settings
foreach ($sub in $officePathsRel) {
$path = “Registry::” + $user.Name + "" + $sub
if (-not (Test-Path $path)) {
New-Item -Path $path -Force | Out-Null
}

    # Extract leaf (Access\Security, Word\Security, Excel\Security)
    $leaf = ($sub -replace '^Software\\Microsoft\\Office\\16\.0\\','')

    foreach ($name in $settings[$leaf].Keys) {
        $value = $settings[$leaf][$name]
        New-ItemProperty -Path $path -Name $name -Value $value -PropertyType DWord -Force | Out-Null
        Write-Output "Set $name=$value at $path"
    }
}

}

Glad to see it’s working for you now. From the start the issue was really about context, you were trying to write into HKCU, but the script that’s working for you is actually writing into HKU. That’s the key difference.