SCCM Application Detection Rule using Registry setting type


Hi All,

There are multiple blogs posts available on how to setup a detection rule for sccm application. However, I find it difficult to set registry setting type correctly i.e. what values should go in fields like ‘key’, ‘value’, ‘data type’ etc.

So here is my blog post answering such questions. I am sharing one example of validating a SCCM application using detection rule using Registry setting type. I wil not share details on how to create sccm application in this blog (there are various good blog posts available on internet that can be referred)

Example

Refer below screenshots of Registry editor and SCCM Application Detection Rule using Registry setting type.

Registry Editor

Detection Rule

Setting Type: It is one of the standard values (File System, Registry and Windows Installer). In our example, we have chosen ‘Registry’ setting type.

Hive: Hive is the logical group of keys and sub keys. It is one of the standard values (HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE and HKEY_USERS). To read more about hives, refer this page.

Hive

Key: key is the Registry Key path from hive. In our example, key is ‘SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\EPOAGENT3000’

Registry Key

Value: Value is the Value name which can be of type String, Binary, DWORD, QWORD, Multi-String or Expandable String. In our example, it is ‘Version’ of type REG_SZ (String).

Registry Key Value

Data Type: Data type is the datatype of Value Name. It has to be one of the standard values (String, Integer and Version). In our example, ‘Version’ value name is of type string (REG_SZ), but we are using ‘Version’ data type. SCCM is intelligent enough to do the type casting. Keeping datatype as ‘Integer’ helps us to set up the detection rule efficiently.

Registry Setting: There are two options available

  • Option 1: If above specified registry setting exists – in our example this means that the value name ‘Version’ should exists and this detection rule does not care about what is the Value data. This is helpful if you are installing a new application.                       Registry Key Value Data
  • Option 2: If above specified registry setting satisfy a clause – in our example, this means that Value data of value name ‘Version’ should satisfy the mentioned clause. This is helpful when you are upgrading an already installed version. In our example, if a version 4.8.0.1995 or greater is already present, then application will be considered as deployed.      Detection Rule Setting

Summary

Hope above details will help you.

If you are still finding it difficult to implement a SCCM application detection method using registry setting type, please write back to me. Feedback is welcome 🙂

Till then, happy coding!!!


Comments (1)

  1. Kevin says:

    Thanks for the article.

    I have a scenario where my registry key only has a “(Default)” Value Name, Type=REG_BINARY, and the Data field contains alpha-numeric characters (i.e. 02 d7 e4). I’m trying to create a detection method that would search to Registry and find that this entry does NOT exist. Would I use “(Default)” in the Value field and Data Type = String in the registry key section? Then choose operator= “Not Equal To” and Value=the alpha numeric value?

    I’ve tried my suggestion and it didn’t work, which is why I’m bringing it up here. Thanks for your help.

Skip to main content