Hi, I am trying to create a piece of relevance which will check if a key either doesn’t exist or exists with a value of 1 - so far it seems to report “true” no matter what:
(exists keys “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext” whose (exists values whose(name of it = “VersionCheckEnabled” AND it as string as lowercase = “00000001” as lowercase ) of it) of registry)or (not exists keys “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext” whose(name of it = “VersionCheckEnabled”) of registry)
Since the BigFix Agent runs as the SYSTEM account, when you write relevance that accesses the “HKEY_CURRENT_USER” branch of the registry, the agent will query the SYSTEM account’s HKCU rather than the logged in user’s HKCU (note that this is different from what you see in the Relevance Debugger, which will return results from the HKCU of your logged on user). To help query the local logged on users’ HKCU branch of the registry, there is an inspector “current user keys” that can be used:
q: exists key “Software\BigFix” of current user keys (logged on users) of registry