Updating the registry on remote machines – RegistryChangeJournal.ps1

Recently Microsoft managed to break AutoDesk by altering the permissions granted to the common user when updating or repairing MSI packaged applications.

https://support.microsoft.com/en-gb/topic/unexpected-uac-prompts-when-running-msi-repair-operations-after-installing-the-august-2025-windows-security-update-5806f583-e073-4675-9464-fe01974df273

Predictably this broke various applications that used this feature.

In our case, Autodesk no longer started for the standard user cohort, instead demanding admin escalation when run for the first time for that user account, on that machine.

https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/After-installation-of-Security-Update-for-Microsoft-Windows-AutoCAD-products-request-admin-credentials.html

It became clear we would have to whitelist the escalation source from triggering UAC, a straightforward registry fix, but how to do it over hundreds of machines without just lighting the proverbial cannon and sticking our fingers in our ears?

Enter my newest brainchild, RegistryChangeJournal – does exactly what it says on the tin, changes the local machine registry, (other hives are avaliable) and journals what it had to modify to a log file, and a JSON file.

It’s a simple concept but very useful.

When a key isi added, the script expands the path and checks if each folder exists, if it does not, it creates the folder and records a journal entry

It then checks if the variable & value exist or are different, and records the change or creation.

The result is a table and log that records the state of the registry prior to modifying it, and any changes made.

To create a script I can deploy to Intune, I simply create a file that defines Invoke-Actions (example below), and then run the build script, that appends the base functions to it in /build

Then it’s a simple matter of uploading to the MDM provider and applying to a machine!

function Invoke-Actions {
    # Registry paths
    $basePath = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\'
    $featurePath = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown'

    # Asssert that the general acrobat path exists first, 
    # no point creating the entire path if the application isn't installed
    Assert-Key $basePath

    # https://www.reddit.com/r/sysadmin/comments/1avpv2x/adobe_acrobat_generative_ai_how_to_permanently/
    #Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

    Add-Key $featurePath -Name "bEnableGentech" -Value 0 -PropertyType DWord
}

function Invoke-Actions {
    # Registry paths
    $basePath = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\'
    $featurePath = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown'

    # Asssert that the general acrobat path exists first, 
    # no point creating the entire path if the application isn't installed
    Assert-Key $basePath

    # https://www.reddit.com/r/sysadmin/comments/1avpv2x/adobe_acrobat_generative_ai_how_to_permanently/
    #Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

    Add-Key $featurePath -Name "bEnableGentech" -Value 0 -PropertyType DWord
}

Removing the new AI features from Adobe Acrobat Reader, entrypoint pictured.