The registry requires elevated rights to be updated. Least Privilege Manager can be used to elevate the rights of a standard user to allow specific .reg files be imported without an administrator.
Note: We recommend you put the .REG file on a server so the file itself is under permissions which cannot be tampered with. It could be a risk to put the .REG file locally on the hard drive where anyone could edit the raw contents.
Add new EXE Policy (a or b)
Select “Use Combo Rule …” -> NEXT
Under Conditions check “Path”, and under Settings check “Command-line arguments” and “Apply to child processes” -> NEXT
Under Path Condition click the Add drop-down and select “Add file ...”
Either browse for regedit.exe, or type in “%SYSTEMROOT%\regedit.exe” -> OK
Click on Command-line Arguments
NEXT
Select “Run with elevated privileges” -> NEXT
Before you create the policy, place your script on a server or secure, shared location (e.g. \\server\share\PSscript.ps1). The follow is a sample script that can be used with either PowerShell or as a batch file to import a .REG file:
Regedit.exe /s \\server\share\NewRegValue.reg
Create new SCRIPT Policy (a or b)
Select “Use Combo Rule …” -> NEXT
Note: Although you can use a simple rule and simply use path as the qualifying factor, for security purposes it is recommended to have multiple qualifying factors.
Under Conditions check “Path” and “Hash” -> NEXT
Note: If you make changes to the script, the Hash value will need to be updated for the policy to remain valid. Alternatively, if you digitally sign your script, Signature can be used instead of Hash as the second method of validation.
Under Path Condition click the Add drop-down and select “Add file ...”
Browse to the location of the PowerShell script -> When Prompted, allow to automatically fill in Hash value,
Click on Hash Condition to confirm Value has been set -> If desired, change algorithm to setting of choice
Select “Run with elevated privileges” -> NEXT
