Delete Skype Run at Startup Registry Key Value Under HKEY_USERS (HKCU Workaround)

It has come up more than a few times that modifying HKCU in a worklet doesn’t behave as expected. This is because the process is running under the SYSTEM account. So only the keys under the SYSTEM SID (S-1-5-18) will be modified if you point to HKCU:\ .

This worklet deletes the desired value for every local user account tied to that device. It is based on @rich’s original HKCU workaround: Modify registry key/value under HKEY_USERS (HKCU Workaround)

NOTE: Because of using Get-CimInstance, this worklet will only work on Windows 10, Server 2016+, or systems upgraded to at least PowerShell 5.

This particular worklet removes a Skype (Lync) registry value located in the “Run” container which runs it at each user’s startup. It also deletes some Skype start-menu shortcuts at the end. The purpose of using it is because the customer’s Skype was integrated with MS Office and couldn’t be individually uninstalled.

Evaluation:

#Define desired registry settings
$regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$regName = "Lync"

#Get User details including SID from Get-LocalUser
$users = Get-CimInstance -Class Win32_UserProfile -Filter "Special = $false"

#Add HKEY_USERS to a PSDrive for easy access later
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null

$nonCompliant = @()

#Loop through the list of users to check each for compliance
foreach ($user in $users) {
    
    #Retrieve SIDs for each user
    $sid = $user.SID
    $local = $user.LocalPath
    
    #Load Registries for users, if ntuser.dat exists
    #this prevents us from attempting to load Administrator and similar accounts
    if (Test-Path "$local\ntuser.dat") {
    
        #Load user's ntuser.dat into the registry
        & reg load "HKU\$sid" "$local\ntuser.dat" | Out-Null
        $properties = Get-ItemProperty -Path "HKU:\$sid\$regpath"
        $value = $($properties.$regName)
        
        #If this value exists, add the user name to nonCompliant list
        if ($value) {
            $nonCompliant += $user
        }
    }
}

#Clean-up the PSDrive
Remove-PSDrive -Name HKU

#If any users are non-compliant, "Exit 1" to flag remediation. Else "Exit 0" for Compliant
if ($nonCompliant.Count -gt 0) {
    Exit 1
} else { Exit 0 }

Remediation:

#Define desired registry settings
$regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$regName = "Lync"

#Get User details including SID from Get-LocalUser
$users = Get-CimInstance -Class Win32_UserProfile -Filter "Special = $false"

#Add HKEY_USERS to a PSDrive for easy access later
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

foreach ($user in $users) {

    #Retrieve SIDs for each user
    $sid = $user.SID
    $local = $user.LocalPath

    #Load Registries for users, if ntuser.dat exists
    #this prevents us from attempting to load Administrator and similar accounts
    if (Test-Path "$local\ntuser.dat") {

        #Load user's ntuser.dat into the registry and delete value
        & reg load "HKU\$sid" "$local\ntuser.dat"
        Remove-ItemProperty -Path "HKU:\$sid\$regPath" -Name $regName
    }
}

Remove-PSDrive -Name HKU

Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business.lnk"
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Skype for Business Recording Manager.lnk"