Closed wise-io closed 2 years ago
If you just mean delete a setting (setting back to "Not Configured", there is Remove-PolicyFileEntry. If you mean how some Settings when set to disabled will remove any items in the registry keys whether put there manually or a previously applied policy, it can be done.
Here is an example for a Chrome policy I set to disabled. Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings Policy Name: Limit cookies from matching URLs to the current session
$regpath = "Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls" $regname = "delvals." $regtype = "String" $Pol = "$env:windir\system32\GroupPolicy\Machine\registry.pol" Set-PolicyFileEntry -path $Pol -key $regpath -ValueName $regName -Data " " -Type $regtype #notice the space for value**
I have seen other settings where instead of delvals, it is **Del. You can get more info on these at https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpreg/57226664-ce00-4487-994e-a6b3820f3e49.
I found what I needed to do for this by using some of the same code underneath this module that I borrowed from https://github.com/OfficeDev/Office-IT-Pro-Deployment-Scripts/blob/master/Office-ProPlus-Preparation/Copy-OfficeGPOSettings/Copy-OfficeGPOSettings.ps1.
I set the setting I wanted on a test machine, then ran portions of the code linked above to get what was getting set.
`
$defaultDisplaySet = 'GroupPolicy', 'Key', 'ValueName', 'Type', 'Value', 'Configuration'
$defaultDisplayPropertySet = New-Object System.Management.Automation.PSPropertySet(‘DefaultDisplayPropertySet’, [string[]]$defaultDisplaySet) $PSStandardMembers = [System.Management.Automation.PSMemberInfo[]]@($defaultDisplayPropertySet)
$assemblies = ('System', 'mscorlib', 'System.IO');
$sourceCode = @'
// FROM: https://gallery.technet.microsoft.com/Read-or-modify-Registrypol-778fed6e
namespace TJX.PolFileEditor
{
using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using Microsoft.Win32;
public enum PolEntryType : uint
{
REG_NONE = 0,
REG_SZ = 1,
REG_EXPAND_SZ = 2,
REG_BINARY = 3,
REG_DWORD = 4,
REG_DWORD_BIG_ENDIAN = 5,
REG_MULTI_SZ = 7,
REG_QWORD = 11,
}
public class PolEntry : IComparable
try {
Add-Type -TypeDefinition $sourceCode -ReferencedAssemblies $assemblies -ErrorAction SilentlyContinue;
} catch { }
$ConfigType = "Machine" if ($PolFilePath -match '\User\') { $ConfigType = "User" }
$fileExists = Test-Path -Path $PolFilePath if (!$fileExists) { continue } try { $pf = New-Object TJX.PolFileEditor.PolFile; $pf.LoadFile($PolFilePath) ; } catch { throw }
$entries = [TJX.PolFileEditor.PolEntry[]] $pf.Entries.ToArray();
$entries | ? { $_.KeyName -like "Software\Policies\Google\Chrome*" }`
Type : REG_SZ
KeyName : Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls
ValueName : **delvals.
DWORDValue :
QWORDValue :
StringValue :
MultiStringValue : { }
BinaryValue : {32, 0, 0, 0}
If you just mean delete a setting (setting back to "Not Configured", there is Remove-PolicyFileEntry.
@kwygant Could you point me to some documentation on Remove-PolicyFileEntry? What parameters are needed, just path, key, and value name?
@redlettertech I went to the commands.ps1 file and found that Remove-PolicyFileEntry has four parameters.
param (
[Parameter(Mandatory = $true, Position = 0)]
[string] $Path,
[Parameter(Mandatory = $true, Position = 1, ValueFromPipelineByPropertyName = $true)]
[string] $Key,
[Parameter(Mandatory = $true, Position = 2, ValueFromPipelineByPropertyName = $true)]
[string] $ValueName,
[switch] $NoGptIniUpdate
)
To me that looks like pol file path, regkey path, and reg value name should get the job done.
It would be great if there were an option to clear a local group policy setting using your module.