Windows - System Preferences - Modify HKEY_USERS

What the HKEY_USERS Registry Modifier does

This Automox Worklet™ modifies registry keys and values under the HKEY_USERS hive for all active local user accounts. The Worklet applies your specified registry configuration to each user's profile by leveraging their unique Security Identifier (SID) stored in the Windows Registry.

The Worklet accepts four configurable parameters: the registry path (relative to the user hive), the value name, the desired value, and the value type (String, ExpandString, MultiString, Binary, DWord, or Qword). Once configured, the Worklet discovers all active user accounts and applies the registry modification to each one.

This approach eliminates the need to manually configure each user profile and maintains consistency across your endpoints. The Worklet creates missing registry paths and handles errors gracefully, reporting any failures so you can investigate specific user configuration issues.

Why manage user registry settings through Automox

User-level registry settings control application behavior, security features, and system preferences that affect daily operations. Manually configuring these settings across multiple endpoints is time-consuming and error-prone, particularly in larger environments.

By automating registry modifications through Automox, you maintain consistent configuration across all endpoints while reducing administrative overhead. This is particularly valuable for implementing security policies, disabling unwanted features, or configuring application defaults that apply to every user on an endpoint.

The Worklet also supports compliance requirements that mandate specific registry configurations. You can schedule regular evaluations to keep endpoints remain compliant and remediate any drift automatically.

How HKEY_USERS registry modification works

1. Evaluation phase: The Worklet retrieves all active user profiles from the system by querying Win32_UserProfile, then loads each user's HKEY_USERS registry hive using their SID. It checks whether the specified registry value exists and matches your desired value. Any user with a mismatched or missing value is flagged as non-compliant.

2. Remediation phase: The Worklet creates the full registry path under each user's HKEY_USERS hive if it does not exist, then sets or updates the registry value to your specified type and value. It uses -Force to overwrite any existing value, verifying all users have the same configuration. Failed registry operations are logged and reported, allowing you to investigate issues specific to particular user accounts.

HKEY_USERS registry modification requirements

• Windows 7 or later (Server 2008 R2 or later)

• PowerShell 2.0 or later (runs on all supported Windows versions)

• Administrator privileges to read and write to HKEY_USERS and user profile paths

• Registry path specified relative to the user hive (without the user SID, which the Worklet adds automatically)

• Valid registry value type selected (String, ExpandString, MultiString, Binary, DWord, or Qword)

• Target registry value must be surrounded by quotation marks if it contains spaces or special characters

Expected registry configuration state

After the Worklet runs successfully, your specified registry value will be present and set to the desired value under HKEY_USERS for every active local user account. You can verify this by navigating to the registry path you configured under each user's hive (identified by their SID) using Regedit or by running a PowerShell query to compare the value across all users.

If the remediation phase reports failures for specific users, those failures are typically due to file system permissions, locked user profiles, or registry access restrictions. The Worklet will indicate which users failed so you can investigate whether those accounts have permission issues or are in use during execution.

How to validate modify hkey_users changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for modify hkey_users.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-LocalUser, Get-WmiObject, Where-Object.

4. Validate remediation effects from script operations such as Get-LocalUser, Get-WmiObject, Where-Object, then rerun evaluation for compliance.