I have a detection rule "Registry Key Value" this is looking for:
Registry Key Path: HKEY_CURRENT_USER\Software\Meditech\Wrkstn\MEDITECH_A
Registry entry: I
Registry Value: MEDITECH_A.chchealth.net
I also have the policy set to run as the current logged on user
One user does have the this reg entry but when logged in as users who don't have the detection rule still comes back with a success and the policy does not run, any idea why? It seems like its still searching the entire hive instead of just the current user
Did you ever get a solution for your question? I have a similiar issue as well.
Yes I did, it was my own fault, I forgot to check the box for subkey on my detection check rule