Query Details
Disabling Global Secure Access By Registry
Query
DeviceRegistryEvents | where ActionType == "RegistryValueSet" //or ActionType == "RegistryKeyCreated" | where RegistryKey == @"HKEY_CURRENT_USER\Software\Microsoft\Global Secure Access Client" | where RegistryValueName == "IsPrivateAccessDisabledByUser" | where RegistryValueData == "1" ///If the registry value doesn't exist, the default value is 0x0, Private Access is enabled. https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#disable-or-enable-private-access-on-the-client
Explanation
This query is searching through a dataset called DeviceRegistryEvents to find specific events related to changes in the Windows registry. Here's a breakdown of what it does:
-
Filter by ActionType: It looks for events where the registry action is either setting a registry value (
RegistryValueSet) or creating a registry key (RegistryKeyCreated). -
Filter by Registry Key: It specifically focuses on changes made to the registry key located at
HKEY_CURRENT_USER\Software\Microsoft\Global Secure Access Client. -
Filter by Registry Value Name: It checks for changes to the registry value named
IsPrivateAccessDisabledByUser. -
Filter by Registry Value Data: It looks for instances where the data for this registry value is set to "1". This indicates that the user has disabled Private Access.
In simple terms, this query is identifying events where a user has disabled Private Access in the Global Secure Access Client settings on their Windows machine by changing a specific registry value.
Details
Jay Kerai
Released: November 30, 2024
Tables
Keywords
Operators